On observing dynamic prioritised actions in SOC

On observing dynamic prioritised actions in SOC? Rosario Pugliese1 , Francesco Tiezzi1 , and Nobuko Yoshida2 1

Dipartimento di Sistemi e Informatica, Università degli Studi di Firenze Viale Morgagni 65, 50134 Firenze, Italia {pugliese,tiezzi}@dsi.unifi.it 2

Department of Computing, Imperial College London 180 Queen’s Gate, South Kensington Campus, SW7 2AZ London, United Kingdom [email protected]

WORKING DRAFT – July 31, 2009

Abstract. In Service-Oriented Computing (SOC), priority mechanisms that combine dynamic priority with local pre-emption enable to model flexible service interactions and fine-grained failure handling. This paper studies the impact of these priority mechanisms on observational semantics for SOC in the process calculus COWS, a sort of extension of asynchronous π-calculus obtained by integrating the above priority mechanisms and other distinctive features of SOC systems, such as, e.g., correlation and pattern matching-based communication, shared variables among parallel threads, activities causing termination. We define natural notions of strong and weak open barbed bisimilarities and prove their coincidence with more manageable characterisations in terms of labelled bisimilarities. These semantics show that COWS’s priority mechanisms partially recover the capability to observe receive actions (that could not be observed in a purely asynchronous setting) and that high priority primitives for termination impose specific conditions on the bisimulations. We also show an application of our theories to a ‘Morra game’ service written in COWS.

?

This work has been supported by the EU project SENSORIA, IST-2 005-016004, and EPSRC GR/T03215, GR/T03208 and EP/F003757.

Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 A ‘Morra game’ scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 µCOWSm : the fragment of µCOWS without priority . . . . . . . . . . . . . . . . . . . . . 3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Operational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Observational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong open barbed bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong labelled bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Weak open barbed and labelled bisimilarities . . . . . . . . . . . . . . . . . . . . . . 4 µCOWS : the protection- and kill-free fragment of COWS . . . . . . . . . . . . . . . . 4.1 Syntax and operational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Observational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong open barbed bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong labelled bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Weak open barbed and labelled bisimilarities . . . . . . . . . . . . . . . . . . . . . . 5 COWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Operational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Observational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong open barbed bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strong labelled bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Weak open barbed and labelled bisimilarities . . . . . . . . . . . . . . . . . . . . . . 5.4 Analysing the ‘Morra game’ scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Concluding remarks and related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Proofs of main results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 µCOWSm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2 µCOWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.3 COWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

3 4 7 8 9 12 12 12 16 17 17 19 19 20 23 23 24 24 26 26 26 28 29 30 35 35 40 44

1

Introduction

Service-oriented computing (SOC) is an emergent paradigm for distributed computing that aims to build networks of interoperable applications through the use of platformindependent, reusable software components called services. Service definitions are used as templates for creating service instances that supply application functionalities to either end-user applications or other instances. Being inherently loosely coupled, SOC systems do not provide intrinsic mechanisms to identify service instances for delivering messages and to link together actions executed as part of the same client-service long-running interaction. Therefore, emerging standards like WS-BPEL and WS-CDL advocate the use of correlation data within exchanged messages that the interacting partners can retrieve by means of a pattern matching mechanism. Recently, many process calculi have been expressly designed to model SOC scenarios, so that service definitions and service instances are represented as reactive processes running concurrently. In this setting, priority mechanisms which allow some actions to take precedence over others can be very fruitful. E.g., when a message arrives, the problem arises of rightly handling race conditions among those service instances and the corresponding service definition which are able to receive the message. This can be modelled by exploiting a parallel composition operator that gives precedence to actions with greater priority. Receive activities are then assigned priority values which depend on the messages available so that, in presence of concurrent matching receives, only a receive using a more defined pattern (i.e. having greater priority) can proceed. This way, service instances take precedence over the corresponding service definition when both can process the same message, thus preventing creation of wrong new instances. Notably, receives would have dynamically assigned priority values since these values depend on the matching ability of their argument pattern. Indeed, while computation proceeds, some of the variables used in the argument pattern of a receive can be assigned values, because of execution of syntactically preceding receives or of concurrent threads sharing these variables. This restricts the set of messages matching the pattern while increases the priority of the receive. Furthermore, pre-emption is local since receives having a more defined pattern have a higher execution priority with respect to only the other receives matching the same message. There are other situations where local pre-emption is needed. For example, when a fault arises in a scope, (some of) the remaining activities of the enclosing scope should be terminated before starting the execution of the relative fault handler. This can be modelled by exploiting the same parallel operator as before together with actions for forcing immediate termination of concurrent activities which take the greatest priority. The same mechanism can also be used for exception and compensation handling. However, apart from COWS [33, 32], priority mechanisms that combine dynamic priority with local pre-emption have not been studied yet in the literature [16]. COWS (Calculus for Orchestration of Web Services) is an extension of asynchronous πcalculus [28, 3] equipped with the priority mechanisms sketched above and with other distinctive features of SOC systems inspired by WS-BPEL, such as shared variables among parallel threads, and communication based on correlation and pattern matching. This paper studies the impact of COWS’s priority mechanisms on observational semantics for SOC. The obtained semantic theories are directly usable to check inter3

changeability of services and conformance against service specifications. They can also be used to reduce the size of the model representing services, thus e.g. facilitating model checking of service properties [19]. Since we want to investigate how COWS distinctive features affect well-established semantic theories, we present syntax, operational and observational semantics of COWS in three steps. This will also allows us to gradually introduce the technicalities of our development. Thus, in Section 3 we consider µCOWSm (µCOWS minus priority), a fragment of COWS without priority in parallel composition and linguistic constructs dealing with termination. It retains all the other COWS’s features, like e.g. global scope and pattern matching. In Section 4 we move on µCOWS (micro COWS), the calculus obtained by enriching µCOWSm with priority in parallel composition. Finally, in Section 5 we study the full calculus, that extends µCOWS with primitives for termination. The paper contains four main contributions. 1. In Section 3, to understand the effect of non-binding and localised receives, patternmatching, and global scope on the semantics, we first define strong and weak open barbed bisimilarities [43, 29] for µCOWSm . We then provide more manageable labelled bisimilarities and prove that they are sound and complete with respect to barbed (contextual) ones. Both semantics recall those for asynchronous π-calculus of [3]. A major complication is that, due to the locality of received endpoints (i.e. only the output capability of names may be transmitted, as in the localised πcalculus [34]), the definition of labelled bisimilarities involves a family of relations indexed by sets of names. This is somewhat similar to the definition of quasi-open bisimilarity for π-calculus [43]. 2. In Section 4, to understand the effect of actions with dynamic changing priority on the semantics, we move on µCOWS. Again, we provide sound and complete characterisations of the barbed bisimilarities in terms of corresponding labelled bisimilarities. The obtained semantics inhabits between asynchrony and synchrony because, with respect to a purely asynchronous setting, the priority mechanism permits partially recovering the capability to observe receive actions. 3. In Section 5, we extend our investigation to COWS. The primitives with greatest priority causing termination require specific conditions on the labelled bisimilarities for these to be congruences. The resulting observations are hence more finegrained than the previous ones. Results of coincidence still hold. 4. In Sections 2 and 5, we show a use of the semantic theories developed through a practical example of web service which includes all key features of COWS. Section 6 concludes the paper with a presentation of related and future work, while Appendix A reports a full account of the proofs.

2

A ‘Morra game’ scenario

Before formally defining COWS, we provide some insights into its main features in a step-by-step fashion by means of an example. This is a service inspired by the wellknown game Morra1 and described at two different levels of abstraction. 1

For further information about the Morra game visit the web site http://en.wikipedia. org/wiki/Morra_(game).

4

Let us consider a service that allows its clients to play the Morra game. We consider the variation of Morra where two players, named “odds” and “evens”, throw out a single hand, each showing zero to five fingers. If the sum of fingers shown by both players is an even number then the “evens” player wins; otherwise the “odds” player is the winner. The service collects the two throws (i.e. two integers), calculates the winner and sends the result back to the two players. A high-level specification of the service in COWS is: ∗ [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i | x p • res!hxid , win(xnum , ynum , 1)i | y p • res!hxid , win(xnum , ynum , 0)i )

(1)

The service receives throws from the players via two distinct endpoints, i.e. pairs odds • throw and evens • throw, which can be interpreted as specific implementations of the operation name throw provided by partner names odds and evens. The players are required to provide the partner names, stored in variables x p and y p , that they will use to receive the result. The replication operator ∗ , that spawns in parallel as many copies of its argument term as necessary, permits supporting creation of multiple instances to serve several matches simultaneously. A match is identified by a match-id, stored in xid , that the partners need to provide when sending their throws. To avoid interferences between matches played simultaneously, match-ids should be unique (clients can use the delimitation operator [ ] to guarantee uniqueness). Partner throws arrive randomly, thus any interaction with the service starts with one of the two receive activities odds • throw?hxid , x p , xnum i or evens • throw?hxid , y p , ynum i, corresponding to reception of throws of the match identified by xid , and terminates with the two invoke activities x p • res!hxid, win(xnum , ynum , 1)i and y p • res!hxid, win(xnum , ynum , 0)i, used to reply with the result. We assume that win(x, y, z) is a total function which, if x and y are integers between 0 and 5, returns the string w (abbreviation of ‘winner’) in case (x + y) mod 2 is equal to z, and the string l (abbreviation of ‘loser’) if (x + y) mod 2 is different from z; otherwise, the string err is returned. Service (1) uses the delimitation operator to declare the scope of variables xid , x p , y p , xnum and ynum . An inter-service communication takes place when the arguments of a receive and of a concurrent invoke along the same endpoint match and causes replacement of the variables arguments of the receive with the corresponding values arguments of the invoke (within the scope of variables declarations). Notably, the two receive activities are correlated by means of the shared variable xid . When an invocation for operation throw is processed, it must be checked if a service instance with the same match-id already exists, in which case the invocation is received by the instance, or if the service must produce a new instance. This is done through the dynamic prioritised mechanism of COWS, i.e. assigning the receives by instances (having a more defined pattern) a greater priority than the receives by the service definition. Thus, for example, after an interaction with the following client [z] ( evens • throw!hfirst, cbB, 1i | cbB • res?hfirst, zi . hrest of client Bi ) service definition (1) runs in parallel with the instance identified by the match-id first (the instance is highlighted by a gray background) 5

evens • throwhfirst, cbB, 1i

odds • throwhfirst, cbA, 2i



cbB • reshfirst, li

cbA • reshfirst, wi



Fig. 1. Long-running interaction between clients and high-level Morra specification

∗ [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i | x p • res!hxid, win(xnum , ynum , 1)i | y p • res!hxid, win(xnum , ynum , 0)i ) | [x p , xnum ] ( odds • throw?hfirst, x p , xnum i | x p • res!hfirst, win(xnum , 1, 1)i | cbB • res!hfirst, win(xnum , 1, 0)i ) Now, if another client performs the invocation odds • throw!hfirst, cbA, 2i, it will be processed by the already existing instance because, w.r.t. this invocation, the receive odds • throw?hfirst, x p , xnum i has greater priority than the receive odds • throw?hxid , x p , xnum i (that has a less defined argument pattern). The long-running interaction between the Morra service definition (1) and the above clients is graphically represented in Figure 1, where each node represents a state, while each edge describes a communication action (e.g. label evens • throwhfirst, cbB, 1i denotes taking place of a communication along endpoint evens • throw with matching values hfirst, cbB, 1i). For a lower level implementation, we wish to maximise the abilities of different services, while preserving the observable behaviour of the whole service w.r.t. the highlevel specification. The main service is now composed of three entities as follows: [req2f , req5f , resp2f , resp5f ] ( ∗ M | ∗ 2F | ∗ 5F )

(2)

The delimitation operator is used here to declare that req2f , req5f , resp2f and resp5f are private operation names known to the three components M, 2F and 5F, and only to them. The three subservices are defined as follows: M , [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i | [k] ( m • req2f !hxid , xnum , ynum i | m • req5f !hxid , xnum , ynum i | [xo , xe ] m • resp2f ?hxid , xo , xe i. ( kill(k) | {|x p • res!hxid , xo i | y p • res!hxid , xe i|} ) | [xo , xe ] m • resp5f ?hxid , xo , xe i. ( kill(k) | {|x p • res!hxid , xo i | y p • res!hxid , xe i|} ) ) 6

2F , [x] ( m • req2f ?hx, 1, 1i. m • resp2f !hx, l, wi + m • req2f ?hx, 1, 2i. m • resp2f !hx, w, li + m • req2f ?hx, 2, 1i. m • resp2f !hx, w, li + m • req2f ?hx, 2, 2i. m • resp2f !hx, l, wi ) 5F , [x, y, z] ( m • req5f ?hx, y, zi. m • resp5f !hx, err, erri + m • req5f ?hx, 0, 0i. m • resp5f !hx, l, wi + m • req5f ?hx, 0, 1i. m • resp5f !hx, w, li + . . . + m • req5f ?hx, 5, 5i. m • resp5f !hx, l, wi ) Service M is publicly invocable and can interact with players as well as with the ‘internal’ services 2F and 5F. These latter two services, instead, can only be invoked by M and have the task of calculating the winner of a match. In particular, 2F performs a quick computation of simple matches where both players hold out either one or two fingers, while 5F performs a slower computation of standard 5-fingers matches (that exactly corresponds to the computation modelled by the function win( )). After the two initial receives, for e.g. performance and fault tolerance purposes, M invokes services 2F and 5F concurrently. Communication between M and the other two subservices relies on the match identifier (stored in x) as correlation data. When one of 2F and 5F replies, M immediately stops the other computation. This is done by executing the kill activity kill(k), that forces termination of all unprotected parallel terms inside the enclosing [k] , which stops the killing effect. Kill activities are executed eagerly w.r.t. the other parallel activities included within the enclosing scope, because relatively to these latter activities they take the greatest priority. However, critical activities can be protected from the effect of a forced termination by using the protection operator {| |}; this is indeed the case of the response x p • res!hxid , xo i in our example. Finally, M forwards the responses to the players and terminates. Services 2F and 5F use the choice operator + to offer alternative behaviours: one of them can be selected by executing an invoke matching the receive leading the behaviour. If the throws are not integers between 0 and 5, 2F does not reply, while 5F returns the string err. Indeed, the receive m • req5f ?hx, y, zi is assigned less priority than the other receive activities, i.e. it is only executed when none of the other receives matches the two throws, thus avoiding to return err in case of admissible throws. An interaction of specification (2) with the previous clients is shown in Figure 2, where ∅(m • o) represents an internal communication along the endpoint m • o, while †(m • o?w) ¯ denotes an invisible kill-action that terminates the activity m • o?w¯ (and its continuation). Dotted lines stand for alternative behaviours. Notably, after execution of a communication along m • resp2f , the prioritised semantics of COWS permits executing only the kill action. In the sequel, we will show how dynamic priorities with local pre-emption and (invisible) kill activities affect the observable behaviours. In Section 5, we will study conformance between specifications (1) and (2) using a weak bisimilarity for COWS.

3 µCOWS m : the fragment of µCOWS without priority The fragment of COWS introduced in this section, namely µCOWSm , dispenses with priority in parallel composition and linguistic constructs dealing with termination. 7





∅ (m • req2f )

∅ (m • req5f )

∅ (m • resp2f )

† (m • resp5f ?h. . .i)





Fig. 2. Long-running interaction between clients and low-level Morra specification

3.1

Syntax

The syntax of µCOWSm is presented in Table 1. We use two countable and disjoint sets: the set of values (ranged over by v, v0 , . . . ) and the set of ‘write once’ variables (ranged over by x, y, . . . ). The set of values is left unspecified; however, we assume that it includes the set of names (ranged over by n, m, p, o, . . . ) mainly used to represent partners and operations. We also use a set of expressions (ranged over by ), whose exact syntax is deliberately omitted; we just assume that expressions contain, at least, values and variables. Partner names and operation names can be combined to designate endpoints, written p • o, and can be communicated, but dynamically received names can only be used for service invocation (as in localised π-calculus [34]). Indeed, endpoints of receive activities are identified statically because their syntax only allows using names and not variables. In the sequel, w ranges over values and variables and u ranges over names and variables. Notation ¯· stands for tuples, e.g. x¯ means hx1 , . . . , xn i (with n ≥ 0) where variables in the same tuple are pairwise distinct. We write a, b¯ to denote the tuple ob¯ All notations shall extend to tuples tained by concatenating the element a to the tuple b. component-wise. n ranges over communication endpoints that do not contain variables 8

s ::= | | | |

u • u0 !¯ g s|s [u] s ∗s

(services) (invoke) (receive-guarded choice) (parallel composition) (delimitation) (replication)

g ::= | |

0 p • o?w.s ¯ g+g

(receive-guarded choice) (nil) (request processing) (choice)

Table 1. µCOWSm syntax

(e.g. p • o), while u ranges over communication endpoints that may contain variables (e.g. u • u0 ). Sometimes, we will use notation n and u for the tuples hp, oi and hu, u0 i, respectively, and rely on the context to resolve any ambiguity. When convenient, we shall regard a tuple (hence, also an endpoint) simply as a set, writing e.g. x ∈ y¯ to mean that x is an element of y¯ . We will omit trailing occurrences of 0, writing e.g. p • o?w¯ instead of p • o?w.0, ¯ and write [hu1 , . . . , un i] s in place of [u1 ] . . . [un ] s. We will write I , s to assign a name I to the term s. We adopt the following conventions about the operators precedence: monadic operators bind more tightly than parallel composition, and prefixing more tightly than choice. The only binding construct is delimitation: [u] s binds u in the scope s. In fact, to enable concurrent threads within each service instance to share (part of) the state, receive activities in COWS bind neither names nor variables. The occurrence of a name/variable is free if it is not under the scope of a delimitation for it. Bound and free names are also called private and public names, respectively. We denote by fu(t) the set of free names/variables that occur free in t. Two terms are α-equivalent if one can be obtained from the other by consistently renaming bound names/variables. As usual, we identify terms up to α-equivalence. 3.2

Operational semantics

The operational semantics of µCOWSm is defined only for closed services, i.e. services without free variables. Formally, the semantics is given in terms of a structural congruence and of a labelled transition relation. The structural congruence, written ≡, identifies syntactically different services that intuitively represent the same service. It is defined as the least congruence relation induced by the equational laws shown in Table 2. All the laws are straightforward. In particular, commutativity of consecutive delimitations implies that the order among the ui in [hu1 , . . . , un i] s is irrelevant, thus in the sequel we may use the simpler notation [u1 , . . . , un ] s. The last law permits to extend the scope of names (as in the π-calculus) and variables, thus enabling possible communication. To define the labelled transition relation, we use two auxiliary functions. Firstly, we use the function [[ ]] for evaluating closed expressions (i.e. expressions without variables): it takes a closed expression and returns a value. It is not explicitly defined since the exact syntax of expressions is deliberately not specified. Secondly, we use the partial function M( , ) for performing pattern-matching on semi-structured data and, thus, determining if a receive and an invoke over the same endpoint can synchronise. The rules 9

∗0 ≡ 0

∗ s ≡ s |∗ s

s|0 ≡ s

s1 | s2 ≡ s2 | s1

(s1 | s2 ) | s3 ≡ s1 | (s2 | s3 )

g+0 ≡ g

g1 + g2 ≡ g2 + g1

(g1 + g2 ) + g3 ≡ g1 + (g2 + g3 )

[u] 0 ≡ 0

[u1 ] [u2 ] s ≡ [u2 ] [u1 ] s

s1 | [u] s2 ≡ [u] (s1 | s2 ) if u < fu(s1 )

Table 2. µCOWSm structural congruence

M(x, v) = {x 7→ v}

M(v, v) = ∅

M(hi, hi) = ∅

M(w1 , v1 ) = σ1 M(w¯ 2 , v¯ 2 ) = σ2 M((w1 , w¯ 2 ), (v1 , v¯ 2 )) = σ1 ] σ2

Table 3. Matching rules

defining M( , ) are shown in Table 3. They state that two tuples match if they have the same number of fields and corresponding fields have matching values/variables. Variables match any value, and two values match only if they are identical. When tuples w¯ and v¯ do match, M(w, ¯ v¯ ) returns a substitution for the variables in w; ¯ otherwise, it is undefined. Substitutions (ranged over by σ) are functions mapping variables to values and are written as collections of pairs of the form x 7→ v. Application of substitution σ to s, written s · σ, has the effect of replacing every free occurrence of x in s with v, for each x 7→ v ∈ σ, by possibly using α-conversion for avoiding v to be captured by name delimitations within s. We use ∅ to denote the empty substitution, | σ | to denote the number of pairs in σ, and σ1 ] σ2 to denote the union of σ1 and σ2 when they have disjoint domains. α

The labelled transition relation −−−→ is the least relation over services induced by the rules in Table 4, where label α is generated by the following grammar: α ::= n C [¯n] v¯ | n B [ x¯] w¯ | σ The meaning of labels is as follows: n C [¯n] v¯ and n B [ x¯] w¯ denote execution of invoke and receive activities over the endpoint n with arguments v¯ and w, ¯ and delimited arguments n¯ and x¯, respectively; σ denotes execution of a communication with generated substitution σ to be still applied. ∅ denotes a computational step corresponding to taking place of communication without pending substitutions. We write n C v¯ (resp. n B w) ¯ instead of n C [ ] v¯ (resp. n B [ ] w) ¯ and use u(α) to denote the set of names and variables occurring in α, where u({x 7→ v}) = {x} ∪ fu(v) and u(σ1 ] σ2 ) = u(σ1 ) ∪ u(σ2 ). Moreover, we will use bu(α) to denote the set of names/variables that occur bound in α; i.e. bu(n C [¯n] v¯ ) = n¯ , bu(n B [ x¯] w) ¯ = x¯ and bu(σ) = ∅. We comment on salient points. A service invocation can proceed only if the expressions in the argument can be evaluated (rule (inv)). This means, for example, that if it contains a variable x it is stuck until x is not replaced by a value because of execution of a receive assigning a value to x. A receive activity offers an invocable operation along a given partner name (rule (rec)), and execution of a receive permits to take a decision between alternative behaviours (rule (choice)). Bound invocations, which transmit private names, can be generated by rule (openinv ), while delimited receive activities can proceed 10

α

[[¯ ]] = v¯

(inv)

n C v¯

α

g −−→ s

n B w¯

n?w.s ¯ −−−−−→ s (rec)

α

n!¯ −−−−−→ 0

(choice)

s ≡−−→≡ s0

n C [m] ¯ v¯

s −−−−−−−→ s0

n ∈ v¯

n < (n ∪ m) ¯

n C [n,m] ¯ v¯

n B [¯y] w¯

x ∈ w¯

x < y¯

n B [x,¯y] w¯

s −−→ s0 σ ] {x7→v}

s −−−−−−−−→ s0 (openinv )

α

s −−→ s0 (openrec )

n B w¯

u < u(α) α

(del)

[u] s −−→ [u] s0

[x] s −−−−−−−−→ s0 n C v¯

s1 −−−−−→ s01

(delcom )

σ

[x] s −−−→ s0 ·{x 7→ v}

[n] s −−−−−−−−→ s0 s −−−−−−−→ s0

(str)

α

g + g0 −−→ s

s2 −−−−−→ s02 σ

M(w, ¯ v¯ ) = σ

α

s1 −−→ s01

(com)

s1 | s2 −−−→ s01 | s02

α

(par)

s1 | s2 −−→ s01 | s2

Table 4. µCOWSm operational semantics

thanks to rule (openrec ). Communication can take place when two parallel services perform matching receive and invoke activities (rule (com)). Communication generates a substitution that is recorded in the transition label (for subsequent application), rather than a silent transition as in most process calculi. When the delimitation of a variable x argument of a receive involved in a communication is encountered, i.e. the whole scope of the variable is determined, the delimitation is removed and the substitution for x is applied to the term (rule (delcom )). Variable x disappears from the term and cannot be reassigned a value (for this reason we say that COWS’s variables are ‘write once’). [u] s behaves like s (rule (del)), except when the transition label α contains u. Execution of parallel services is interleaved (rule (par)). Rule (str) is standard and states that structurally congruent services have the same transitions. Notably, bound invocation actions do not appear in rule (com), and therefore cannot directly interact with receive actions, and similarly delimited receive actions cannot synchronise with invoke actions. Such interactions are instead inferred by using structural congruence to pull name/variable delimitations outside of both interacting activities. Since rules (openinv ) and (openrec ) have no impact on inferring computational steps, they could be omitted from the rules defining the operational semantics. However, when it comes to developing behavioural equivalences, such rules turn out to be indispensable. It is also worth noticing that when rule (openrec ) is applied to a closed µCOWSm service, the resulting term could be open. We end with three properties of the operational semantics that will be exploited in the rest of the paper. Property 1. Let s be a µCOWSm term. The following facts hold: n C [¯n] v¯

– If s −−−−−−−→ s0 , then n¯ ⊆ v¯ and n < n¯ . n B [ x¯] w¯ – If s −−−−−−−→ s0 , then x¯ ⊆ w. ¯ Moreover, if s is closed then w\ ¯ x¯ does not contain variables (i.e. it is either a tuple of values or the empty tuple). σ

– If s is closed and s −−−→ s0 , then σ = ∅ and s0 is closed. The above properties can be proved by a straightforward induction on the depth of the shortest inference for the transitions in the hypothesis. 11

3.3

Observational semantics

We introduce now an observational semantics for µCOWSm . Specifically, we define natural notions of strong and weak open barbed bisimilarities and prove their coincidence with more manageable characterisations in terms of labelled bisimilarities. Strong open barbed bisimilarity. We want to define a notion of (open) barbed bisimilarity for the calculus along the line of [29, 43]. To this aim, we must first identify an appropriate basic observable, namely a predicate that points out the interaction capabilities of a term. Since communication is asynchronous, an obvious starting point is considering as observable only the output capabilities of terms, like for asynchronous π-calculus [3]. The intuition is that an asynchronous observer cannot directly observe the receipt of data that he has sent. Thus, our notion of observation is as follows. Definition 1 (Observable for µCOWSm ). Let s be a µCOWSm closed term. Predicate s ↓n holds true if s can immediately perform an invoke over the (public) endpoint n, n C [¯n] v¯

that is if there exist s0 , n¯ and v¯ such that s −−−−−−−→ s0 . A desirable property of a behavioural equivalence, which enables compositional reasoning, is to be preserved by all contexts of the language. An equivalence that enjoys this property is called congruence. A µCOWSm (closed) context is a service C with a ‘hole’ [[·]], i.e. a term generated by the following grammar: C ::= [[·]] | G | C | s | s | C | [u] C | ∗ C

G ::= n?w. ¯ C | G+g | g+G

such that, once the hole is filled with a closed service s, the resulting term C[[s]] is a µCOWSm closed service. The above definitions of observation and context lead to the following notion of barbed bisimilarity. Definition 2 (Open barbed bisimilarity). A symmetric binary relation R on µCOWSm closed terms is an open barbed bisimulation if whenever s1 Rs2 the following holds: (Barb preservation)

if s1 ↓n then s2 ↓n ; ∅

∅

(Computation closure) if s1 −−→ s01 then there exists s02 such that s2 −−→ s02 and s01 Rs02 ; (Context closure)

C[[s1 ]] R C[[s2 ]], for every closed context C.

Two closed terms s1 and s2 are open barbed bisimilar, written s1 'm s2 , if s1 Rs2 for some open barbed bisimulation R. 'm is called open barbed bisimilarity. Of course, because of context closure, 'm is a congruence for µCOWSm closed terms. Strong labelled bisimilarity. The definition of 'm suffers from universal quantification over all possible language contexts, which makes the reasoning on terms very hard. Hence, we provide a purely co-inductive notion of bisimulation that only requires considering transitions of the labelled transition system defining the semantics of the 12

terms under analysis. The notion of labelled bisimulation introduced for asynchronous π-calculus in [3] does not turn out to be suitable for µCOWSm , since the bisimilarity defined on top of it would not properly characterise 'm . Consider, for example, the following two µCOWSm terms: s1 , [n] ( m!hni | n!hi )

s2 , [n] m!hni

They only differ for the fact that the first one is able to perform an invocation along the private endpoint n. However, they can exhibit the same barbs, and no context can tell them apart since it cannot be able to perform a receive along (the received name) n because of the constraint on the ‘localisation’ of names (indeed, contexts of the form [[·]] | m?hxi. x?hi. 0 are not allowed). Hence, s1 and s2 are barbed bisimilar. The natural asynchronous labelled bisimilarity derived from the π-calculus one would instead tell them apart and, hence, need to be weakened. Therefore we define a labelled bisimulation as a family of relations indexed with sets of names corresponding to the names that cannot be used by contexts (to test) for reception since they are dynamically exported private names. Definition 3 (Names-indexed family of relations). A names-indexed family F of relations is a set of symmetric binary relations RN on µCOWSm closed terms, one for each set of names N, i.e. F = {RN }N . Definition 4 (Labelled bisimilarity). A names-indexed family of relations {RN }N is a α

labelled bisimulation if, whenever s1 RN s2 and s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: n B [ x¯] w¯

(a) ∃ s02 : s2 −−−−−−−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ : s01 · σ RN s02 · σ ∅

(b) ∃ s02 : s2 −−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ : s01 · σ RN (s02 | n!(w¯ · σ) ) nC[¯n] v¯

2. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 −−−−−−→ s02 and s01 RN∪ n¯ s02 ∅

3. if α = ∅ then ∃ s02 : s2 −−→ s02 and s01 RN s02 Two closed terms s1 and s2 are N-bisimilar, written s1 ∼N m s2 , if s1 RN s2 for some RN in a labelled bisimulation. They are labelled bisimilar, written s1 ∼m s2 , if they are ∅-bisimilar. ∼N m is called N-bisimilarity, while ∼m is called labelled bisimilarity. The resulting definition somewhat recalls that of quasi-open bisimilarity for πcalculus [43]. Clause 1 states that a receive action can be simulated either in a normal way (clause 1.(a)) or by a computational step leading to a term that, when composed with the invoke activity consumed by the receive, stands in the appropriate relation (clause 1.(b)). Execution of receives whose argument contains variables leads to open terms, which the operational semantics is not defined for. Since the freed variables are placeholders for values to be received, we require the two continuations to be related for any matching tuple of values (similarly to late bisimulation for π-calculus [37]). We say that the bisimulation is given in a late style because in clause 1 the choice of the tuple of values v¯ takes place after the choice of s02 ; that is, s02 does not depend on the tuple of values v¯ . Clause 2, and the use of names-indexed families of relations, handles 13

the fact that dynamically exported private names cannot be used by a receiver within the endpoint of a receive (whose syntax, as we have seen in Section 3.1, does not allow to use variables). With abuse of notation, n < N in clause 2, with n = p • o, stands for p < N ∧ o < N. Thus, invocations along endpoints using either of the names in N are unobservable, hence these endpoints cannot be used to tell the executing terms apart. Finally, clause 3 deals with computational steps. Notably, actions σ different from ∅ are not taken into account, since they cannot be performed by closed terms (see rules (com) and (delcom )). To illustrate our labelled bisimilarity, let us consider a tailored version of the input absorption law characterizing asynchronous bisimulation in asynchronous π-calculus (i.e. the equation a(b). a¯ b + τ = τ presented in [3]): [x] ( ∅ + n?hx, vi. n!hx, vi ) ∼m ∅

(3)

where, for the sake of presentation, we exploit the context ∅+[[·]] , [m] (m!hi | m?hi+[[·]]) and the term ∅ , [m] (m!hi | m?hi). Communication along the private endpoint m models the τ action of π-calculus, while activities n?hx, vi and n!hx, vi recall the π-calculus actions a(b) and a¯ b, respectively. Intuitively, the equality means that a service that emits the data it has received behaves as a service that simply performs an unobservable action. Although the two terms in (3) are syntactically different, it turns out that they are bisimilar. Indeed, the only transition that the term ∅ can perform is: ∅

∅ −−→ 0 Trivially, the other term can reply by executing the activity on the left-hand side of +: ∅

[x] ( ∅ + n?hx, vi. n!hx, vi ) −−→ 0 Moreover, the term on the left in (3) can also perform the following transition: n B [x] hx,vi

[x] ( ∅ + n?hx, vi. n!hx, vi ) −−−−−−−−−−→ [m] (m!hi | n!hx, vi) To this, ∅ can reply with an ∅-transition and, then, for all v0 , [m] (m!hi | n!hv0 , vi) and (0 | n!hv0 , vi) are bisimilar. Indeed, both of them can only perform a transition labelled by n C hv0 , vi and evolve to [m] m!hi and 0, respectively, that cannot perform any further transition. As another example regarding labelled bisimilarity, we can now prove that [n] ( m!hni | n!hi ) ∼m [n] m!hni In fact, the family of relations {R∅ , R{n} }, where R∅ = { ( [n] ( m!hni | n!hi ) , [n] m!hni ) } and R{n} = { ( n!hi , 0 ) }, is a labelled bisimulation. We want now to prove that labelled bisimilarity is a congruence for µCOWSm . To this aim we also need to consider open terms, i.e. terms with free variables, although we have only defined (strong) labelled bisimulation and bisimilarity over closed terms. We proceed as in [36, Section 4.4], where a similar situation is faced in the setting of CCS. Therefore, we extend the definition of ∼N m as follows. 14

Definition 5. Let s1 and s2 be two µCOWSm terms containing free variables x¯ at most. Then s1 ∼N ¯ such that | x¯ |=| v¯ | , s1 ·{ x¯ 7→ v¯ } ∼N ¯ 7→ v¯ }. m s2 if, for all values v m s2 ·{ x In other words, ∼N m is generalised to open terms as an hyperequivalence. To prove the congruence result, we introduce also the notion of bisimulation upto structural congruence: it is defined as a labelled bisimulation except for the fact that the RN in the three clauses of Definition 4 is replaced by the (compound) relation ≡ RN ≡. The next lemma shows that a bisimulation up-to ≡ can be used as a sound proof-technique for labelled bisimulation. In the sequel, for the sake of simplicity, we explicitly write index N in a relation RN only when it is necessary or is modified in the considered case. Moreover, for the sake of readability, we only outline here the techniques used in the proofs and refer the interested reader to Appendix A for a full account. Lemma 1. Let F be a labelled bisimulation up-to ≡; then, F is a labelled bisimulation. Proof. We need to prove that the family of relations { { (s1 , s2 ) : s1 ≡ s01 , s02 ≡ s2 , s01 Rs02 } : R ∈ F } α

is a labelled bisimulation. The key point of the proof is that if s1 −−−→ s0 then, by rule α

(cong) and since s1 ≡ s01 , we get that s01 −−−→ s0 . The proof then proceeds by case analysis

on α, exploiting the fact that s01 Rs02 .

t u

Theorem 1. ∼m is a congruence for µCOWSm closed terms. Proof (sketch). We shall prove that, given two µCOWSm closed terms s1 and s2 , if s1 ∼m s2 then C[[s1 ]] ∼m C[[s2 ]] for every (possibly open) context C. The proof is by induction on the structure of the context C. t u It is worth noticing that Theorem 1 does not hold in case of open terms. For example, consider the following equation: ∅ + n?hxi. n!hxi ∼m [m] (m!hxi | m?hxi) Although the two terms above are open, we can easily prove that they are bisimilar. Indeed, we can prove that ∅ + n?hvi. n!hvi ∼m [m] (m!hvi | m?hvi) holds for all v (we can proceed as for (3)). However, the context [x] [[·]] can tell the two terms apart, since [x] (∅ + n?hxi. n!hxi) can perform action n B [x] hxi, while [x, m] (m!hxi | m?hxi) cannot perform any transition. Now, we prove that open barbed bisimilarity and labelled bisimilarity coincide. In other words, labelled bisimilarity is sound and complete with respect to the barbed (contextual) one. Theorem 2 (Soundness of ∼m w.r.t. 'm ). Given two µCOWSm closed terms s1 and s2 , if s1 ∼m s2 then s1 'm s2 . 15

Proof (sketch). By Theorem 1, we have that ∼m is context closed. Thus, we only need to prove that ∼m is barb preserving and computation closed. t u Theorem 3 (Completeness of ∼m w.r.t. 'm ). Given two µCOWSm closed terms s1 and s2 , if s1 'm s2 then s1 ∼m s2 . Proof (sketch). We define a family of relations F = { RN : N set of names } such that 'm is included in R∅ and show that it is a labelled bisimulation. Let N be the set {n1 , . . . , nm }, then s1 RN s2 if there exist m1 , . . . , mm fresh such that [n1 , . . . , nm ] (s1 | m1 !hn1 i | . . . | mm !hnm i) 'm [n1 , . . . , nm ] (s2 | m1 !hn1 i | . . . | mm !hnm i) α

Take s1 RN s2 and a transition s1 −−−→ s01 ; then, the proof proceeds by case analysis on α. t u Corollary 1. ∼m and 'm coincide. t u

Proof. Directly from Theorems 2 and 3.

Weak open barbed and labelled bisimilarities. Our semantic theories extend in a standard way to the weak case. Therefore, weak transitions are defined as follows: =⇒ α

∅

α

αˆ

α

means (−−→)∗ , i.e. zero or more ∅-transitions; ===⇒ means =⇒−−−→=⇒; ===⇒ means ===⇒ if α , ∅ and =⇒ if α = ∅. Predicate s ⇓n holds true if there exist s0 such that s =⇒ s0 and s0 ↓n . Then, weak open barbed bisimilarity, written um , is obtained by replacing s ↓n with ∅

s ⇓n , and −−→ with =⇒ in Definition 2.

α

αˆ

To define weak labelled bisimilarity we replace −−−→ with ===⇒ in the three clauses of Definition 4. As for π-calculus, the only subtle point is the case of receive actions, which n B [ x¯] w¯

have to be simulated by =⇒−−−−−−−→=⇒ and requires the substitution to be applied n B [ x¯] w¯

immediately after the transition −−−−−−−→, i.e. before further ∅-transitions (otherwise, just like in π-calculus, the resulting relation would not be an equivalence). Definition 6 (Weak labelled bisimilarity). A names-indexed family of relations α

{RN }N is a weak labelled bisimulation if, whenever s1 RN s2 and s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: nB[ x¯] w¯

(a) ∃ s002 : s2 =⇒−−−−−−−→ s002 and ∀ v¯ s.t. M( x¯, v¯ ) = σ ∃ s02 : s002 ·σ =⇒ s02 and s01 ·σ RN s02 (b) ∃ s02 : s2 =⇒ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ : s01 · σ RN (s02 | n!(w· ¯ σ) ) nC[¯n] v¯

2. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 ======⇒ s02 and s01 RN∪ n¯ s02 3. if α = ∅ then ∃ s02 : s2 =⇒ s02 and s01 RN s02 16

Two closed terms s1 and s2 are weak N-bisimilar, written s1 ≈N m s2 , if s1 RN s2 for some RN in a weak labelled bisimulation. They are weak labelled bisimilar, written s1 ≈m s2 , if they are weak ∅-bisimilar. ≈N m is called weak N-bisimilarity, while ≈m is called weak labelled bisimilarity. Results of congruence and coincidence still hold for the weak case. We omit the corresponding proofs because they do not require new techniques and, indeed, are the standard generalisation of the strong ones. We conclude with an example inspired to the law !(a(b). a¯ b) = 0 that holds for weak bisimilarity in asynchronous π-calculus [3]. In fact, the analogous of equality (3) for the weak case is: ∗ [x] n?hx, vi. n!hx, vi ≈m 0 (4) To prove validity, the most significant case is simulating the transition n B [x] hx,vi

∗ [x] n?hx, vi. n!hx, vi −−−−−−−−−−→ ∗ [x] (n?hx, vi. n!hx, vi) | n!hx, vi The term on the right of (4) replies with an empty transition (i.e. it does not perform any action) and it is easy to show that, for all v0 , (∗ [x] (n?hx, vi. n!hx, vi) | n!hv0 , vi) and (0 | n!hv0 , vi) are weak bisimilar.

4 µCOWS : the protection- and kill-free fragment of COWS The fragment of COWS presented in this section, namely µCOWS, dispenses with those activities dealing with termination, i.e. kill and protection. In other words, µCOWS extends µCOWSm with priority in the parallel composition. 4.1

Syntax and operational semantics

The syntax of µCOWS and the set of laws defining the structural congruence coincide with that of µCOWSm , shown in Tables 1 and 2, respectively. Instead, the labelled α

transition relation −−−→ is the least relation over µCOWS services induced by the rules in Tables 4 and 5, where rules (del 2 ), (com 2 ) and (par 2 ) replace (del), (com) and (par), respectively. Labels are now generated by the following grammar: α ::= n C [¯n] v¯ | n B [ x¯] w¯ | σ | n σ ` v¯ The new label n σ ` v¯ denotes execution of a communication over n with matching values v¯ , generated substitution having ` pairs, and substitution σ to be still applied. We use ce(α) to denote the names composing the endpoint in case α denotes execution of a communication, i.e. ce(α) is ∅ except for α = n σ ` v¯ for which we let ce(n σ ` v¯ ) = n. Moreover, for α = n σ ` v¯ we let u(n σ ` v¯ ) = u(σ). Now, computational steps are denoted both by label of the form n ∅ ` v¯ and ∅. The definition of the labelled transition relation exploits a new auxiliary predicate noConf(s, n, v¯ , `), with ` natural number. The predicate, defined in Table 6, holds true if s cannot immediately perform a receive over the endpoint n matching v¯ and generating a substitution σ with | σ | < `. 17

n B v¯

n σ]{x7→v} ` v¯

n C v¯

s1 −−−−−→ s01

s2 −−−−−→ s02 ∅

s −−−−−−−−−−−→ s0 (match)

n B w¯

[x] s −−−−−−→ s0 ·{x 7→ v}

n C v¯

s1−−−−−→s01

(delcom 2 )

n σ ` v¯

s1 | s2 −−→ s01 | s02 M(w, ¯ v¯ ) = σ

s2−−−−−→s02

|σ| >1

noConf(s1 | s2 , n, v¯ , | σ |)

n σ |σ| v¯

(com 2 )

s1 | s2 −−−−−−−→ s01 | s02 α

s −−→ s0

u < (u(α) ∪ ce(α)) α

n σ ` v¯

s −−−−−−→ s0 (del 2 )

[u] s −−→ [u] s0 α

α , n σ ` v¯

s1 −−→ s01 α

n∈n

σ

(private)

[n] s −−−→ [n] s0 n σ ` v¯

(par 2 )

s1 −−−−−−→ s01

noConf(s2 , n, v¯ , `) n σ ` v¯

s1 | s2 −−→ s01 | s2

(parcom )

s1 | s2 −−−−−−→ s01 | s2

Table 5. µCOWS operational semantics (additional rules)

noConf(u!¯ , n, v¯ , `) = noConf(0, n, v¯ , `) = true ( false if n0 = n ∧ | M(w, ¯ v¯ ) |< ` noConf(n0 ?w.s, ¯ n, v¯ , `) = true otherwise noConf(g + g0 , n, v¯ , `) = noConf(g, n, v¯ , `) ∧ noConf(g0 , n, v¯ , `) noConf(s | s0 , n, v¯ , `) = noConf(s, n, v¯ , `) ∧ noConf(s0 , n, v¯ , `) ( noConf(s, n, v¯ , `) if u < n noConf([u] s, n, v¯ , `) = true otherwise noConf(∗ s, n, v¯ , `) = noConf(s, n, v¯ , `) Table 6. There are not conflicting receives along n matching v¯

We only comment on salient points. In µCOWS, two different kinds of communication labels can be generated: σ and n σ ` v¯ . The latter label, produced by rule (com2 ), carries information about the communication that has taken place (i.e. the endpoint, the transmitted values, the generated substitution and its length) used to check the presence of conflicting receives in parallel components. Indeed, if more than one matching is possible, the receive that needs fewer substitutions is selected to progress (rules (com2 ) and (parcom )). This mechanism permits to correlate different service communications thus implicitly creating interaction sessions and can be exploited to model the precedence of a service instance over the corresponding service specification when both can process the same request. The check for presence of a conflict is not needed when either the performed receive has the highest priority (i.e. the substitution has length 0) or the communication takes place along a private endpoint. In the former case, label ∅ is immediately generated by rule (match). In the latter case, when the delimitation of a name belonging to the endpoint of a communication label is encountered (i.e. the communication is identified as private), the transition label n σ ` v¯ is turned into σ (rule (private)). 18

Rule (delcom 2 ) is similar to (delcom ) (shown in Table 4) but deals with labels generated by communications still subject to priority check. Notably, during the inference of a transition labelled by n σ ` v¯ , the length of the substitution to be applied decreases (rule (delcom 2 )), while the length ` of the initial substitution does never change, which makes it suitable to check, in any moment, existence of better matching, i.e. of parallel receives with greater priority. Execution of parallel services is interleaved (rule (par 2 )), but when a communication is performed. In such case, the progress of the receive activity with greater priority must be ensured. 4.2


As we have done for µCOWSm in the previous section, we define now open barbed and labelled bisimilarities for µCOWS. Strong open barbed bisimilarity. The notion of basic observable defined for µCOWSm (Definition 1) can be used also to define the open barbed bisimilarity for µCOWS. Definition 7 (Open barbed bisimilarity). A symmetric binary relation R on µCOWS closed terms is an open barbed bisimulation if whenever s1 Rs2 the following holds: (Barb preservation)

if s1 ↓n then s2 ↓n ;

n ∅ ` v¯

∅

(Computation closure) if s1 −−→ s01 (resp. s1 −−−−−→ s01 ) then there exists s02 such that n ∅ ` v¯

∅

∅

s2 −−→ s02 (resp. s2 −−−−−→ s02 or ` =| v¯ | ∧ s2 −−→ s02 ) and s01 Rs02 ; (Context closure)


Two closed terms s1 and s2 are open barbed bisimilar, written s1 'µ s2 , if s1 Rs2 for some open barbed bisimulation R. 'µ is called open barbed bisimilarity. The major difference with the definition of barbed bisimilarity for µCOWSm (Definition 2) is that here we also take care of computations of the form n ∅ ` v¯ . We show now that in µCOWS it is not true any longer that receive activities are always unobservable. In fact, in Section 3 we have shown that, for µCOWSm , ∼m enjoys the equality (3). Hence, by Theorem 3, we get that [x] ( ∅ + n?hx, vi. n!hx, vi ) 'm ∅, which means that receive activities cannot be observed (similarly to asynchronous πcalculus). In µCOWS, however, the context C , [y, z] n?hy, zi. m!hi | n!hv0 , vi | [[·]] can tell the two terms above apart. In fact, we have n ∅ 2 hv0 ,vi

C[[∅]] −−−−−−−−−→ m!hi | ∅ where the term (m!hi | ∅) satisfies the predicate ↓m . Instead, the other term cannot properly reply because the receive n?hx, vi has higher priority than n?hy, zi when synchronising with the invocation n!hv0 , vi. Thus, C[[[x] ( ∅+n?hx, vi. n!hx, vi )]] can only evolve to terms that cannot immediately satisfy the predicate ↓m . From this, we have [x] ( ∅ + n?hx, vi. n!hx, vi ) 6'µ ∅ 19

(5)

This means that, receive activities that exercise a priority (i.e. receives whose arguments contain some values) can be detected by an interacting observer. Now, consider the term [x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i ). Since n?hx, x0 i does not exercise any priority on parallel terms, we have that [x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i ) 'µ ∅

C[[[x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i )]] 'µ C[[∅]]

For similar reasons, we have that ∅ + n?hi. n!hi 'µ ∅ and D[[∅ + n?hi. n!hi]] 'µ D[[∅]] for D , n?hi. m!hi | n!hi | [[·]]. Therefore, differently from µCOWSm , communication in µCOWS is neither purely asynchronous nor purely synchronous. Indeed, receives having the smallest priority (i.e. whose arguments are, possible empty, tuples of variables) cannot be observed, while, by exploiting proper contexts, the other receives can be detected. Strong labelled bisimilarity. For what we have seen in the previous paragraph, the equivalence ∼m is not suitable for characterising the open barbed bisimilarity for µCOWS. Indeed, ∼m enjoys equality (3) while 'µ enjoys disequality (5). As consequence, ∼m is not preserved by all closed language contexts (which would prevent compositional reasoning). Thus, we provide a new notion of bisimulation defined on top of the labelled transition system defining the semantics of µCOWS. Definition 8 (Labelled bisimilarity). A names-indexed family of relations {RN }N is a α

labelled bisimulation if, whenever s1 RN s2 and s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: nB[ x¯] w¯

(a) ∃ s02 : s2 −−−−−−−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) : s01 ·σ RN s02 ·σ ∅

(b) | x¯ |=| w¯ | and ∃ s02 : s2 −−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) : s01 · σ RN (s02 | n!¯v) 2. if α = n ∅ ` v¯ where ` =| v¯ | then one of the following holds: n ∅ ` v¯

∅

(a) ∃ s02 : s2 −−−−−−→ s02 and s01 RN s02

(b) ∃ s02 : s2 −−→ s02 and s01 RN s02 nC[¯n] v¯

3. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 −−−−−−→ s02 and s01 RN∪ n¯ s02 α

4. if α = ∅ or α = n ∅ ` v¯ , where ` ,| v¯ |, then ∃ s02 : s2 −−−→ s02 and s01 RN s02 Two closed terms s1 and s2 are N-bisimilar, written s1 ∼N µ s2 , if s1 RN s2 for some RN in a labelled bisimulation. They are labelled bisimilar, written s1 ∼µ s2 , if they are ∅-bisimilar. ∼N µ is called N-bisimilarity, while ∼µ is called labelled bisimilarity. Clause 1 deals with both observable and unobservable receives. In fact, all receives can be simulated in a normal way (clause 1.(a)); additionally, receives such that | x¯ |=| w¯ |, i.e. w¯ contains only variables or is the empty tuple (since x¯ ⊆ w¯ and w\ ¯ x¯ does not contain variables), can be simulated by an internal action leading to a term that, when composed with the invoke activity consumed by the receive, stands in the appropriate relation (clause 1.(b)). For similar reasons, clause 2 permits replying with an ∅-transition 20

to communications involving an unobservable receive (` =| v¯ | implies that the tuple argument of the receive is either empty or only contains variables). Indeed, such clause is explained by the following equation: C[[[x, x0 ] (∅ + n?hx, x0 i. n!hx, x0 i)]] ∼µ C[[∅]] for C , [[·]] | n!hv0 , vi. In fact, if we do not have that clause, we would have that n ∅ 2 hv0 ,vi

C[[[x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i )]] −−−−−−−−−→

n ∅ 2 hv0 ,vi

and C[[∅]] −−−−−−/−−−→

which would imply that C[[[x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i )]] 6∼µ C[[∅]]. Differently from labelled bisimulation for µCOWSm , here in clause 1 the two continuations are not related for any tuple of values, but only for those tuples that can be effectively received (i.e. that do not give rise to communication conflicts). Indeed, for example, the following two µCOWS terms: s1 , [x] ( n?hvi + n?hxi. [m] (m!hxi | m?hxi + m?hvi. m0 !hi) ) s2 , [x] ( n?hvi + n?hxi. [m] (m!hxi | m?hxi) ) are both barbed and labelled bisimilar. Instead, if the definition of bisimulation does not have condition noConf(s2 , n, w¯ · σ, | x¯ |) in clause 1, we would have that s1 'µ s2 but s1 6∼µ s2 . Indeed, after execution of action n B [ x¯] x¯, it is not correct to consider the continuations under substitutions {x 7→ v0 } for all v0 , because such action cannot be performed in case the received value v0 is v (it is pre-empted by n?hvi). In clauses 1.(b) and 2.(b) we require that s2 can only reply with an ∅-transition and not with a transition labelled by m ∅ ` v¯ . Otherwise, the relation would not be preserved by parallel composition, because communication m ∅ ` v¯ is subject to conflict check and, hence, could be blocked by a receive with higher priority performed by a parallel term. Some illustrative equalities follow. 1. 2. 3. 4. 5. 6.

n!hi | n?hi 6∼µ m!hi | m?hi [n] (n!hi | n?hi) ∼µ [m] (m!hi | m?hi) ∼µ [m] (m!h¯vi | [ x¯] m?h x¯i) [x] ( ∅ + n?hx, vi. n!hx, vi ) 6∼µ ∅ [x, x0 ] ( ∅ + n?hx, x0 i. n!hx, x0 i ) ∼µ ∅ ∅ + n?hi. n!hi ∼µ ∅ C[[[x, x0 ] (∅+n?hx, x0 i. n!hx, x0 i)]] ∼µ C[[∅]] for C , [y, z] n?hy, zi. n0 !hi | n!hv0 , vi | [[·]]

Remark 1 (On computational steps). µCOWS supports two different kinds of computational steps, labelled by ∅ and n ∅ ` v¯ . To be a congruence, labelled bisimilarity deals with them separately. Indeed, let τ denote any computational step, and suppose to weaken Definition 8 by replacing ∅ with τ in clause 1, by removing clause 2, and by modifying clause 4 in order to only consider the case α = τ. We would have that ∗ n!hvi | ∅ ∼µ ∗ n!hvi | [x] n?hxi. n!hxi. In fact, the relevant cases are: n ∅ 1 hvi

∅

– if ∗ n!hvi | ∅ −−→ ∗ n!hvi then ∗ n!hvi | [x] n?hxi. n!hxi −−−−−−−→ ∗ n!hvi | n!hvi ≡ ∗ n!hvi, and vice versa; nB[hxi] hxi

∅

– if ∗ n!hvi | [x] n?hxi. n!hxi −−−−−−−−−→ ∗ n!hvi | n!hxi then ∗ n!hvi | ∅ −−→ ∗ n!hvi and for all v0 holds that ∗ n!hvi | n!hxi · {x 7→ v0 } and ∗ n!hvi | n!hv0 i are bisimilar. 21

However, the context n?hvi | [[·]] can tell the two terms apart, because the transition labelled n ∅ 1 hvi can be blocked by the activity n?hvi (which has higher priority than n?hxi). This means that the modified labelled bisimilarity is not a congruence for µCOWS. Of course, the two terms above are not bisimilar according to Definition 8. Now, we prove that labelled bisimilarity ∼µ is a congruence for µCOWS. To this aim, besides the generalisation of ∼µ to open terms and a lemma showing that a bisimulation up-to ≡ can be used as a sound proof-technique for labelled bisimulation, we need a lemma establishing preservation of predicate noConf( , , , ) by the relations belonging to a bisimulation. As usual, we only outline here the techniques used in the proofs and refer the interested reader to Appendix A for a full account. Definition 9. Let s1 and s2 be two µCOWS terms containing free variables x¯ at most. Then s1 ∼N ¯ such that | x¯ |=| v¯ | , s1 ·{ x¯ 7→ v¯ } ∼N ¯ 7→ v¯ }. µ s2 if, for all values v µ s2 ·{ x Lemma 2. Let F be a labelled bisimulation up-to ≡; then, F is a labelled bisimulation. Proof. The proof proceeds as the proof of Lemma 1.

t u

Lemma 3. Let s1 and s2 be two µCOWS closed terms and R be a relation belonging to a labelled bisimulation such that s1 Rs2 . Then, noConf(s1 , n, v¯ , `) = noConf(s2 , n, v¯ , `) for any n, v¯ and `, with ` 6 | v¯ |. Proof (sketch). The lemma is proved by contradiction.

t u

Theorem 4. ∼µ is a congruence for µCOWS closed terms. Proof (sketch). We shall prove that, given two µCOWS closed terms s1 and s2 , if s1 ∼µ s2 then C[[s1 ]] ∼µ C[[s2 ]] for every (possibly open) context C. The proof is by induction on the structure of the context C and proceeds similarly to that of Theorem 1. t u Now, we prove that labelled bisimilarity is sound and complete with respect to open barbed bisimilarity. Theorem 5 (Soundness of ∼µ w.r.t. 'µ ). Given two µCOWS closed terms s1 and s2 , if s1 ∼µ s2 then s1 'µ s2 . Proof (sketch). By Theorem 4, we have that ∼µ is context closed. Thus, we only need to prove that ∼µ is barb preserving and computation closed. t u Theorem 6 (Completeness of ∼µ w.r.t. 'µ ). Given two µCOWS closed terms s1 and s2 , if s1 'µ s2 then s1 ∼µ s2 . Proof (sketch). We define a family of relations F = { RN : N set of names } such that 'µ is included in R∅ , and show that it is a labelled bisimulation. Let N be the set {n1 , . . . , nm }, then s1 RN s2 if there exist m1 , . . . , mm fresh such that [n1 , . . . , nm ] (s1 | m1 !hn1 i | . . . | mm !hnm i) 'µ [n1 , . . . , nm ] (s2 | m1 !hn1 i | . . . | mm !hnm i) α

Take s1 RN s2 and a transition s1 −−−→ s01 ; then, the proof proceeds by case analysis on α. t u Corollary 2. ∼µ and 'µ coincide. t u

Proof. Directly from Theorems 5 and 6. 22

Weak open barbed and labelled bisimilarities. As in Section 3.3, the observational semantic theories introduced for µCOWS extend in a standard way to the weak case. Weak open barbed bisimilarity, namely uµ , is obtained by replacing s ↓n with s ⇓n , n ∅ ` v¯

n ∅ ` v¯

∅

−−→ with =⇒, and −−−−−→ with =====⇒ in Definition 7.

αˆ

α

To define weak labelled bisimilarity we replace −−−→ with ===⇒ in the four clauses of Definition 8. Definition 10 (Weak labelled bisimilarity). A names-indexed family of relations α

{RN }N is a weak labelled bisimulation if, whenever s1 RN s2 and s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: nB[ x¯] w¯

(a) ∃ s002 : s2 =⇒−−−−−−−→ s002 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) ∃ s02 : s002 ·σ =⇒ s02 and s01 ·σ RN s02 (b) | x¯ |=| w¯ | and ∃ s02 : s2 =⇒ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w¯ · σ, | x¯ |) : s01 · σ RN (s02 | n!¯v) 2. if α = n ∅ ` v¯ where ` =| v¯ | then one of the following holds: n ∅ ` v¯

(a) ∃ s02 : s2 ======⇒ s02 and s01 RN s02

(b) ∃ s02 : s2 =⇒ s02 and s01 RN s02 nC[¯n] v¯

3. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 ======⇒ s02 and s01 RN∪¯n s02 αˆ

4. if α = ∅ or α = n ∅ ` v¯ , where ` ,| v¯ |, then ∃ s02 : s2 ===⇒ s02 and s01 R s02 Two closed terms s1 and s2 are weak N-bisimilar, written s1 ≈N µ s2 , if s1 RN s2 for some RN in a weak labelled bisimulation. They are weak labelled bisimilar, written s1 ≈µ s2 , if they are weak ∅-bisimilar. ≈N µ is called weak N-bisimilarity, while ≈µ is called weak labelled bisimilarity. The results of congruence and coincidence still hold for the weak case. We omit the corresponding proofs because they do not require new techniques and, indeed, are the standard generalisation of the strong ones. We conclude with an example that is the analogous of equality (4) for µCOWS: ∗ [x, x0 ] n?hx, x0 i. n!hx, x0 i ≈µ 0 To prove validity, the most significant case is simulating the transition n B [x,x0 ] hx,x0 i

∗ [x, x0 ] n?hx, x0 i. n!hx, x0 i −−−−−−−−−−−−→ ∗ [x, x0 ] (n?hx, x0 i. n!hx, x0 i) | n!hx, x0 i The term on the right replies with an empty transition and it is easy to show that, for all v and v0 , (∗ [x, x0 ] (n?hx, x0 i. n!hx, x0 i) | n!hv, v0 i) and (0 | n!hv, v0 i) are weak bisimilar.

5

COWS

COWS is obtained by enriching µCOWS with two primitive operators to enable fault and compensation handling and guarantee transactional properties of services. 23

s ::= kill(k) | u • u0 !¯ | g | s|s | {|s|} | [e] s | ∗s

(services) (kill) (invoke) (receive-guarded choice) (parallel composition) (protection) (delimitation) (replication)

g ::= | |

(receive-guarded choice) 0 (nil) • p o?w.s ¯ (request processing) g+g (choice)

Table 7. COWS syntax

{|0|} ≡ 0 {| {|s|} |} ≡ {|s|} {|[e] s|} ≡ [e] {|s|}

[k] 0 ≡ 0 [k1 ] [k2 ] s ≡ [k2 ] [k1 ] s s1 | [k] s2 ≡ [k] (s1 | s2 )

if k < fk(s1 )∪fk(s2 )

Table 8. COWS structural congruence (additional laws)

5.1

Syntax

The syntax of COWS is presented in Table 7 (the new constructs are highlighted by a gray background). In COWS, besides the sets of values and variables, we also use the set of (killer) labels (ranged over by k, k0 , . . .). Notably, expressions do not include killer labels that, hence, are non-communicable values. This way the scope of killer labels cannot be dynamically extended and the activities whose termination would be forced by execution of a kill can be statically determined. We still use w to range over values and variables, u to range over names and variables, while we use e to range over elements, namely killer labels, names and variables. Delimitation now is a binder also for killer labels. fe(t) denotes the set of free elements in t, and fk(t) denotes the set of free killer labels in t. A closed service is a COWS term without free variables and killer labels. 5.2

Operational semantics

The structural congruence ≡ for COWS, besides the laws in Table 2, additionally includes the laws in Tables 8. Notably, the last law of Table 8 prevents extending the scope of a killer label k when it is free in s1 or s2 (this avoids involving s1 in the effect of a kill activity inside s2 and is essential to statically determine which activities can be terminated by a kill). Thus, this law can be used to garbage-collect killer labels, e.g. [k] n!¯ ≡ [k] (n!¯ | 0) ≡ n!¯ | [k] 0 ≡ n!¯ | 0 ≡ n!¯ . To define the labelled transition relation, we need two new auxiliary functions. The function halt( ) takes a service s as an argument and returns the service obtained by only retaining the protected activities inside s. halt( ) is defined inductively on the syntax of services. The most significant case is halt({|s|}) = {|s|}. In the other cases, halt( ) returns 0, except for parallel composition, delimitation and replication operators, for which it acts as an homomorphism. 24

noKill(s, e) = true

if fk(e) = ∅

noKill(s | s0 , k) = noKill(s, k) ∧ noKill(s0 , k)

noKill(kill(k), k) = false

noKill([e] s, k) = noKill(s, k)

noKill(kill(k ), k) = true 0

if k , k

if e , k

noKill([k] s, k) = true

0

noKill(u!¯ , k) = noKill(g, k) = true

noKill({|s|}, k) = noKill(∗ s, k) = noKill(s, k)

Table 9. There are no active kill(k) α

k

kill(k) −−→ 0 (kill)

s1 −−→ s01 α , k, n σ ` v¯ α

s1 | s2 −−→ s01 | s2 k

k

s −−→ s0 †

[k] s −−→ [k] s0 α

s −−→ s0

(delkill 1 )

e < (e(α) ∪ ce(α)) α

s −−→ s0

k,e

k

[e] s −−→ [e] s0 α , k, †

k

(par 3 )

(parkill )

k

s1 | s2 −−→ s01 | halt(s2 ) †

(delkill 2 )

noKill(s, e)

[e] s −−→ [e] s0

s1 −−→ s01

s −−→ s0 †

[e] s −−→ [e] s0

(delkill 3 )

α

s −−→ s0

(del 3 )

α

{|s|} −−→ {|s0 |}

(prot)

Table 10. COWS operational semantics (additional rules)

halt(kill(k)) = halt(u!¯ ) = halt(g) = 0 halt(s1 | s2 ) = halt(s1 ) | halt(s2 )

halt({|s|}) = {|s|}

halt([e] s) = [e] halt(s)

halt(∗ s) = ∗ halt(s)

Then, in Table 9, we inductively define the predicate noKill(s, e), that holds true if either e is not a killer label or e = k and s cannot immediately perform a free kill activity kill(k). Moreover, the predicate noConf(s, n, v¯ , `), defined for µCOWS by the rules in Table 6, is extended to COWS by adding the following rules: noConf(kill(k), n, v¯ , `) = true noConf({|s|}, n, v¯ , `) = noConf(s, n, v¯ , `) ( noConf(s, n, v¯ , `) if e < n noConf([e] s, n, v¯ , `) = true otherwise α

The labelled transition relation −−−→ is the least relation over services induced by the rules in Tables 4, 5 and 10, where rule (del 3 ) replaces (del) and (del 2 ), rule (com 2 ) replaces (com), and rule (par 3 ) replaces (par) and (par 2 ). Labels are now generated by the following grammar: α ::= n C [¯n] v¯ | n B [ x¯] w¯ | σ | n σ ` v¯ |

k

|

†

The meaning of the new labels is as follows: k denotes execution of a request for terminating a term from within the delimitation [k] , and † denotes a computational step corresponding to taking place of forced termination. In the sequel, we use e(α) to denote the set of elements occurring in α (it is defined similarly to u(α)). Let us now comment on the operational rules. Activity kill(k) forces termination of all unprotected parallel activities (rules (kill) and (parkill )) inside an enclosing [k] , that stops the killing effect by turning the transition label k into † (rule (delkill 1 )). Existence of such delimitation is ensured by the assumption that the semantics is only defined for 25

closed services. Critical activities can be protected from killing by putting them into a protection {| |}; this way, {|s|} behaves like s (rule (prot)). Similarly, [e] s behaves like s (rule (del 3 )), except when the transition label α contains e, in which case α must correspond either to a communication assigning a value to e (rules (delcom ) and (delcom 2 )) or to a kill activity for e (rule (delkill 1 )), or when a free kill activity for e is active in s, in which case only actions corresponding to kill activities can be executed (rules (delkill 2 ) and (delkill 3 )), that also apply when the third premise of (del 3 ) does not hold, i.e. α = k or α = †). This means that kill activities are executed eagerly with respect to the activities enclosed within the delimitation of the corresponding killer label. Execution of parallel services is interleaved (rule (par 3 )), but when a kill activity or a communication is performed. Indeed, the former must trigger termination of all parallel services (according to rule (parkill )), while the latter must ensure that the receive activity with greater priority progresses (rules (com 2 ) and (parcom )). 5.3


When considering observational semantics for COWS we soon discover that ∼µ is not preserved by those contexts forcing termination of the activities in the hole. For example, ∅ ∼µ {|∅|} trivially holds. However, the COWS context [k] (kill(k) | [[·]]) can tell the two terms apart. Indeed, [k] (kill(k) | ∅) ∼µ [k] (kill(k) | {|∅|}) does not hold since, after execution of the kill activity (that has highest priority), we would get 0 ∼µ {|∅|} which is trivially false. Therefore, ∼µ is not a congruence for COWS. Strong open barbed bisimilarity. Open barbed bisimilarity is by definition closed under all contexts and its definition only needs to be tuned for considering also †-transitions in the ‘Computation closure’. Definition 11 (Open barbed bisimilarity). A symmetric binary relation R on COWS closed terms is an open barbed bisimulation if whenever s1 Rs2 the following holds: (Barb preservation)

if s1 ↓n then s2 ↓n ; ∅

n ∅ ` v¯

†

(Computation closure) if s1 −−→ s01 , s1 −−→ s01 , s1 −−−−−→ s01 respectively, then there ∅

†

n ∅ ` v¯

exists s02 such that s2 −−→ s02 , s2 −−→ s02 , s2 −−−−−→ s02 or ∅

` =| v¯ | ∧ s2 −−→ s02 respectively, and s01 Rs02 ; (Context closure)


Two closed terms s1 and s2 are open barbed bisimilar, written s1 ' s2 , if s1 Rs2 for some open barbed bisimulation R. ' is called open barbed bisimilarity. Strong labelled bisimilarity. Labelled bisimilarity must explicitly take care of the terms resulting from application of function halt( ) (that gets the same effect as of plunging a term within the context [k] (kill(k) | [[·]])). It must also consider that if a closed term s performs a transition labelled by n C [m] ¯ v¯ , then s contains an invoke of the form n!¯ , with [[¯ ]] = v¯ , which can be either protected or not. These differences w.r.t. to Definition 8 are highlighted with a gray background. 26

Definition 12 (Labelled bisimilarity). A names-indexed family of relations {RN }N is α

a labelled bisimulation if s1 RN s2 then halt(s1 ) RN halt(s2 ) and if s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: nB[ x¯] w¯

(a) ∃ s02 : s2 −−−−−−−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) : s01 ·σ RN s02 ·σ ∅

(b) | x¯ |=| w¯ | and ∃ s02 : s2 −−→ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) : s01 · σ RN (s02 | n!¯v) or s01 · σ RN (s02 | {|n!¯v|}) 2. if α = n ∅ ` v¯ where ` =| v¯ | then one of the following holds: n ∅ ` v¯

∅

(a) ∃ s02 : s2 −−−−−−→ s02 and s01 RN s02

(b) ∃ s02 : s2 −−→ s02 and s01 RN s02 nC[¯n] v¯

3. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 −−−−−−→ s02 and s01 RN∪ n¯ s02 α

4. if α = ∅, α = † or α = n ∅ ` v¯ , where ` ,| v¯ |, then ∃ s02 : s2 −−−→ s02 and s01 RN s02 Two closed terms s1 and s2 are N-bisimilar, written s1 ∼N s2 , if s1 RN s2 for some RN in a labelled bisimulation. They are labelled bisimilar, written s1 ∼ s2 , if they are ∅-bisimilar. ∼N is called N-bisimilarity, while ∼ is called labelled bisimilarity. Notably, halt-closure takes into account execution of outer kill activities (i.e. kills performed by contexts), while the inner ones that are active in the considered terms are taken into account by clause 4. Remark 2 (On computational steps). COWS supports three different kinds of computational steps (labelled by ∅, n ∅ ` v¯ , or †) and they are dealt with separately because the priority of forced termination over communication permits to observe the kind of computational steps that take place. Indeed, let τ denote any computational step, and suppose to weaken computation closure in Definition 11 and clause 4 of Definition 12 τ

τ

by only requiring that if s1 −−→ then s2 −−→. We would have that [k] kill(k) 6' ∅ while [k] kill(k) ∼ ∅. In fact, the above terms are easily distinguished by the context [k0 ] (kill(k0 ) | [[·]]), because the term obtained by filling the context with the term on the left can perform the following transitions τ

τ

[k0 ] (kill(k0 ) | [k] kill(k)) −−→ [k0 ] kill(k0 ) −−→ 0 while, due to priority of kill over communication, the other term can only reply as follows τ τ [k0 ] (kill(k0 ) | ∅) −−→ 0 −− /→ This means that [k0 ] (kill(k0 ) | [k] kill(k)) 6' [k0 ] (kill(k0 ) | ∅), and hence [k] kill(k) 6' ∅. Moreover, it would hold that [k0 ] (kill(k0 ) | [k] kill(k)) 6∼ [k0 ] (kill(k0 ) | ∅), which also implies that ∼ would not be a congruence for COWS. Thus, to enable ∼ to tell [k] kill(k) and ∅ apart, we must allow ∼ to distinguish computational steps (as in clause 4 of Definition 12). This way, we also have that the following holds: {| [k] kill(k) |} 6∼ {| ∅ |} 27

However, they have the same barbs and no context can take them apart. Thus, {| [k] kill(k) |} ' {| ∅ |} Therefore, to have a sound and complete characterisation of ' in terms of ∼, we must allow ' to distinguish computational steps (as in the computation closure required by Definition 11). We can now prove that labelled bisimilarity is a congruence for COWS. Definition 13. Let s1 and s2 be two COWS term containing free variables x¯ at most. Then s1 ∼N s2 if, for all values v¯ such that | x¯ |=| v¯ | , s1 ·{ x¯ 7→ v¯ } ∼N s2 ·{ x¯ 7→ v¯ }. Theorem 7. ∼ is a congruence for COWS. Proof (sketch). We shall prove that, given two COWS closed terms s1 and s2 , if s1 ∼ s2 then C[[s1 ]] ∼ C[[s2 ]] for every context C. The proof is by induction on the structure of the context C. t u We prove now that barbed bisimilarity and labelled bisimilarity coincide. Theorem 8 (Soundness of ∼ w.r.t. '). Given two COWS closed terms s1 and s2 , if s1 ∼ s2 then s1 ' s2 . Proof. The proof proceeds as the proof of Theorem 5, by also exploiting the fact that, †

†

by Definition 12, if s1 −−→ s01 then s2 −−→ s02 and s01 ∼ s02 , for some s02 .

t u

Theorem 9 (Completeness of ∼ w.r.t. '). Given two COWS closed terms s1 and s2 , if s1 ' s2 then s1 ∼ s2 . Proof. The proof proceeds as the proof of Theorem 6, by also exploiting the fact that, †

†

by Definition 11, if s1 −−→ s01 then s2 −−→ s02 and s01 ' s02 , for some s02 .

t u

Corollary 3. ∼ and ' coincide. t u

Proof. Directly from Theorems 8 and 9.

Weak open barbed and labelled bisimilarities. Extension to the weak case is standard. Let τ denote any computational step, i.e. either ∅ or †. With respect to the strong case, and to the analogous extension for µCOWSm and µCOWS, we relax the requirement for the computational steps, by merely requiring each τ to be matched by zero or more τ

τ. Specifically, weak transitions are defined as follows: =⇒ means (−−→)∗ , i.e. zero or α

αˆ

α

α

more τ-transitions; ===⇒ means =⇒−−−→=⇒; ===⇒ means ===⇒ if α , τ and =⇒ if α = τ. Thus, we obtain the following definition of weak bisimulations. Weak open barbed bisimilarity, namely u, is obtained by replacing s ↓µ with s ⇓µ , ∅

†

n ∅ ` v¯

n ∅ ` v¯

−−→ and −−→ with =⇒, and −−−−−→ with =====⇒ in Definition 11. 28

Definition 14 (Weak labelled bisimilarity). A names-indexed family of relations {RN }N is a weak labelled bisimulation if s1 RN s2 then halt(s1 ) RN halt(s2 ) and if α

s1 −−−→ s01 , where bu(α) are fresh, then: 1. if α = n B [ x¯] w¯ then one of the following holds: nB[ x¯] w¯

(a) ∃ s002 : s2 =⇒−−−−−−−→ s002 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w·σ, ¯ | x¯ |) ∃ s02 : s002 ·σ =⇒ s02 and s01 ·σ RN s02 (b) | x¯ |=| w¯ | and ∃ s02 : s2 =⇒ s02 and ∀ v¯ s.t. M( x¯, v¯ ) = σ and noConf(s2 , n, w¯ · σ, | x¯ |) : s01 · σ RN (s02 | n!¯v) or s01·σ RN (s02 | {|n!¯v|}) 2. if α = n ∅ ` v¯ where ` =| v¯ | then one of the following holds: n ∅ ` v¯

(a) ∃ s02 : s2 ======⇒ s02 and s01 RN s02

(b) ∃ s02 : s2 =⇒ s02 and s01 RN s02 nC[¯n] v¯

3. if α = n C [¯n] v¯ where n < N then ∃ s02 : s2 ======⇒ s02 and s01 RN∪ n¯ s02 αˆ

4. if α = ∅, α = † or α = n ∅ ` v¯ , where ` ,| v¯ |, then ∃ s02 : s2 ===⇒ s02 and s01 RN s02 Two closed terms s1 and s2 are weak N-bisimilar, written s1 ≈N s2 , if s1 RN s2 for some RN in a weak labelled bisimulation. They are weak labelled bisimilar, written s1 ≈ s2 , if they are weak ∅-bisimilar. ≈N is called weak N-bisimilarity, while ≈ is called weak labelled bisimilarity. Again, results of congruence and coincidence hold. 5.4

Analysing the ‘Morra game’ scenario

We now study the relationship between the high- and low-level specifications of the Morra service introduced in Section 2. We can prove that (1) 6≈ (2). Indeed, (1) can evens • throwB[xid ,y p ,ynum ] hxid ,y p ,ynum i

odds • throwB[x p ,xnum ] h f irst,x p ,xnum i

perform transitions −−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ and −−−−−−−−−−−−−−−−−−−−−−−−−−−→ and, because of application of substitutions {xid 7→ f irst, y p 7→ cbB, ynum 7→ 1} and {x p 7→ cbA, xnum 7→ 2}, evolve to ( cbA • res!h f irst, win(2, 1, 1)i | cbB • res!h f irst, win(2, 1, 0)i ) Instead, (2) can properly simulate the above transitions but it can only evolve to {| cbA • res!h f irst, wi | cbB • res!h f irst, li |} Of course, the latter term behaves differently from the former one in presence of kill activities. In fact, given the context C , [k0 ] ( [n] (n!hi | n?hi. kill(k0 )) | [[·]] ), we have that C[[(1)]] 6≈ C[[(2)]]. If we modify the last two invoke activities in the high-level specification (1) as follows: ∗ [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i (6) | {| x p • res!hxid , win(xnum , ynum , 1)i | y p • res!hxid , win(xnum , ynum , 0)i |} ) 29

the problem persists, because (6) after the first two transitions always provides a response, while (2) could fail to provide a response in presence of kill activities. Instead, by replacing M in (2) by [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i | {| [k] ( . . . ) |} ) we can equate (6) with the so obtained low-level specification. We can also prove that M is congruent to the following variant: [xid , x p , xnum , y p , ynum ] ( odds • throw?hxid , x p , xnum i | evens • throw?hxid , y p , ynum i | m • req2f !hxid , xnum , ynum i | m • req5f !hxid , xnum , ynum i | [xo , xe ] ( m • resp2f ?hxid , xo , xe i. {|x p • res!hxid , xo i | y p • res!hxid , xe i|} + m • resp5f ?hxid , xo , xe i. {|x p • res!hxid , xo i | y p • res!hxid , xe i|} ) ) This somehow suggests us that we can use kill, delimitation and protection to model choice among receive activities that prefix protected terms, like in the following case [ x¯] ( n?w. ¯ {|s|} + n0 ?w¯ 0 . {|s0 |} ) ≈ [k, x¯] ( n?w. ¯ (kill(k) | {|s|}) | n0 ?w¯ 0 . (kill(k) | {|s0 |}) )

6

Concluding remarks and related work

We have investigated the impact of COWS’s dynamic priority mechanisms combined with local pre-emption on the definitions of semantic theories for SOC systems. We have introduced natural notions of strong and weak open barbed bisimilarities for COWS, and then proved their coincidence with more manageable characterisations in terms of labelled bisimilarities. We have also demonstrated our approach through the specification and the analysis of an illustrative example. We leave for future work the identification of appropriate sets of sound and general equational laws that can facilitate the task of analysing SOC systems through the semantic theories introduced in this paper. In fact, at a certain level of abstraction, WSBPEL applications can be modelled using COWS, thus we hope eventually to be able to verify them. We also plan to develop efficient symbolic characterisations of the labelled bisimilarities over a new symbolic operational semantics for COWS introduced in [42]. The birth of the SOC paradigm has caused the development of new technologies and has stimulated foundational research. Many new process calculi have been designed (see e.g. [13, 31, 26, 6, 21, 4, 14, 30, 7, 11, 44]), addressing one aspect or another of SOC and aiming at assessing the adequacy of diverse sets of primitives w.r.t. modelling, combining and analysing SOC applications. COWS borrows a number of features from well-known ‘traditional’ process calculi: asynchronous [8, 28, 3] and polyadic communication [39], polyadic synchronization [15], and localised channels [34] have been deeply studied in the setting of π-calculus [37], as well as input-guarded choice (that has been used in many presentations of π-calculus); global scoping and non-binding input are inspired by fusion calculus [41]; pattern matching-based communication has been used in, e.g., K [17] and Xpi [2]; distinction between variables and values is present in, e.g., value-passing CCS [35], applied π-calculus [1] and Dπ [27]. 30

The most distinctive feature of COWS is, however, the parallel operator that takes priority of actions into account, where actions have assigned priority values that can dynamically change and have a scope. In [33], we have largely discussed the relevance of this feature to deal with correlation, and service instantiation and termination. Many process calculi with priority have been proposed in the literature; a comprehensive survey, with terminology and classification of different approaches, can be found in [16]. In previous proposals, dynamic priorities are basically used to model scheduling approaches and real-time aspects (see e.g. [5, 10, 20]) while in COWS they are used for coordination, other than for orchestration, purposes. For example, in the service 5F of Section 2 they enable implementing a sort of ‘default’ behaviour, that returns err when a throw is not admissible. To the best of our knowledge (see also [16]), the interplay between dynamic priorities and local pre-emption, and their impact on semantic theories of processes have never been explored before. In [33] we have also shown how COWS’s constructs dealing with termination can be used to model fault and compensation handling a` la WS-BPEL, and to encode features and primitives of other calculi for SOC, e.g. the construct where of Orc [40] and session closure of SCC [6]. A termination construct similar to COWS’s kill activity has been introduced in [25] in the setting of a distributed π-calculus, where it is used to model the failure of a node (and, hence, the termination of all the processes running therein). Instead, COWS’s kill activity (in conjunction with protection and delimitation) is more flexible since it permits terminating parallel activities in a more selective way. Indeed, the construct proposed in [25] can be easily rendered in COWS. In some calculi for SOC, strong or weak notions of labelled bisimilarity have been used for proving existence of normal forms for services [44], for program transformation [22], for checking conformance of a calculus of orchestration to a calculus of choreography [12], and for proving compliance between service implementations and specifications [30, 11]. The latter two mentioned works share our same aims, but consider process calculi that, to link together actions executed as part of the same interaction, rely on sessions rather than on correlation data. Behavioural theories based on testing preorders have instead been exploited to check if a service exposing a given contract can play a specific role within a service choreography [9]. COWS’s barbed bisimilarities follow the approach of open barbed bisimilarities [29, 43] rather than that of barbed congruence [38], i.e. quantification over contexts occurs recursively inside the definition of bisimilarity. This approach is commonly used in recent works on defining barbed bisimilarities and, then, their labelled characterizations for process calculi with intricate features as e.g. Distributed π-calculus [24] and K [18]. This because it simplifies the proof of completeness since it allows to choose a context at any computational step. Moreover, for asynchronous π-calculus, it has been proved in [23] that the two approaches coincide. However, since this is not true for (synchronous) π-calculus [43], and since our calculus is not completely asynchronous, it is probably worth considering also the approach used in [38, 3]. We leave this for future investigation. COWS’s labelled bisimilarities strongly recall the bisimilarities for asynchronous πcalculus introduced in [3]. However, COWS’s priority mechanisms make some receive actions observable (which leads to a novel notion of observation that refines the purely 31

asynchronous one), and require specific conditions on the labelled bisimilarities for these to be congruences.

References 1. M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In Proc. of 27th Annual ACM Symposium on Principles of Programming Languages (POPL), pages 104–115. ACM Press, 2001. 2. L. Acciai and M. Boreale. Xpi: a typed process calculus for XML messaging. Science of Computer Programming, 71(2):110–143, 2008. 3. R.M. Amadio, I. Castellani, and D. Sangiorgi. On Bisimulations for the Asynchronous piCalculus. Theoretical Computer Science, 195(2):291–324, 1998. 4. M. Bartoletti, P. Degano, and G. Ferrari. Security Issues in Service Composition. In Proc. of 8th International Conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS), volume 4037 of Lecture Notes in Computer Science, pages 1–16. Springer, 2006. 5. G. Bhat, R. Cleaveland, and G. Lüttgen. A Practical Approach to Implementing Real-Time Semantics. Annals of Software Engineering, 7:127–155, 1999. 6. M. Boreale, R. Bruni, L. Caires, R. De Nicola, I. Lanese, M. Loreti, F. Martins, U. Montanari, A. Ravara, D. Sangiorgi, V.T. Vasconcelos, and G. Zavattaro. SCC: a Service Centered Calculus. In Proc. of 3rd International Workshop on Web Services and Formal Methods (WSFM)), volume 4184 of Lecture Notes in Computer Science, pages 38–57. Springer, 2006. 7. M. Boreale, R. Bruni, R. De Nicola, and M. Loreti. Sessions and Pipelines for Structured Service Programming. In Proc. of 10th International Conference on Formal Methods for Open Object-based Distributed Systems (FMOODS), volume 5051 of Lecture Notes in Computer Science, pages 19–38. Springer, 2008. 8. G. Boudol. Asynchrony and the pi-calculus. Technical Report 1702, INRIA, Sophia Antipolis, 1991. 9. M. Bravetti and G. Zavattaro. Towards a Unifying Theory for Choreography Conformance and Contract Compliance. In Software Composition, volume 4829 of Lecture Notes in Computer Science, pages 34–50. Springer, 2007. 10. P. Brémond-Grégoire, S.B. Davidson, and I. Lee. CCSR92: Calculus for Communicating Shared Resources with Dynamic Priorities. In Proc. of 1st North American Process Algebra Workshop (NAPAW), Workshops in Computing, pages 65–85. Springer, 1993. 11. R. Bruni, I. Lanese, H.C. Melgratti, and E. Tuosto. Multiparty sessions in SOC. In Proc. of 10th international conference on Coordination Models and Languages (COORDINATION), volume 5052 of Lecture Notes in Computer Science, pages 67–82. Springer, 2008. 12. N. Busi, R. Gorrieri, C. Guidi, R. Lucchi, and G. Zavattaro. Choreography and orchestration conformance for system design. In Proc. of 8th international conference on Coordination Models and Languages (COORDINATION’06), volume 4038 of Lecture Notes in Computer Science, pages 63–81. Springer, 2006. 13. M.J. Butler, C.A.R. Hoare, and C. Ferreira. A Trace Semantics for Long-Running Transactions. In 25 Years Communicating Sequential Processes, volume 3525 of Lecture Notes in Computer Science, pages 133–150. Springer, 2005. 14. M. Carbone, K. Honda, and N. Yoshida. Structured Communication-Centred Programming for Web Services. In Proc. of 16th European Symposium on Programming (ESOP), volume 4421 of Lecture Notes in Computer Science, pages 2–17. Springer, 2007. 15. M. Carbone and S. Maffeis. On the expressive power of polyadic synchronisation in πcalculus. Nordic Journal of Computing, 10(2):70–98, 2003.

32

16. R. Cleaveland, G. Lüttgen, and V. Natarajan. Priorities in process algebra. Handbook of Process Algebra, chapter 12, pages 391–424, 2001. 17. R. De Nicola, G. Ferrari, and R. Pugliese. KLAIM: A Kernel Language for Agents Interaction and Mobility. Transactions on Software Engineering, 24(5):315–330, 1998. 18. R. De Nicola, D. Gorla, and R. Pugliese. Basic observables for a calculus for global computing. Information and Computation, 205(10):1491–1525, 2007. 19. A. Fantechi, S. Gnesi, A. Lapadula, F. Mazzanti, R. Pugliese, and F. Tiezzi. A model checking approach for verifying COWS specifications. In Proc. of Fundamental Approaches to Software Engineering (FASE), volume 4961 of Lecture Notes in Computer Science, pages 230–245. Springer, 2008. 20. H. Fecher. A Real-Time Process Algebra with Open Intervals and Maximal Progress. Nordic Journal of Computing, 8(3):346–365, 2001. 21. G. Ferrari, R. Guanciale, and D. Strollo. Event based service coordination over dynamic and heterogeneous networks. In Proc. of 4th International Conference on Service Oriented Computing (ICSOC), volume 4294 of Lecture Notes in Computer Science, pages 453–458. Springer, 2006. 22. L.C. Filipe, I. Lanese, V. Vasconcelos, F. Martins, and A. Ravara. Behavioural Theory at Work: Program Transformations in a Service-Centred Calculus. In Proc. of 10th International Conference on Formal Methods for Open Object-based Distributed Systems (FMOODS), volume 5051 of Lecture Notes in Computer Science, pages 59–77. Springer, 2008. 23. C. Fournet and G. Gonthier. A Hierarchy of Equivalences for Asynchronous Calculi. In Proc. of 25th International Colloquium on Automata, Languages and Programming (ICALP), volume 1443 of Lecture Notes in Computer Science, pages 844–855. Springer, 1998. 24. A. Francalanza and M. Hennessy. A Theory of System Fault Tolerance. In Proc. of 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS), volume 3921 of Lecture Notes in Computer Science, pages 16–31. Springer, 2006. 25. A. Francalanza and M. Hennessy. A theory for observational fault tolerance. J. Log. Algebr. Program., 73(1-2):22–50, 2007. 26. C. Guidi, R. Lucchi, R. Gorrieri, N. Busi, and G. Zavattaro. SOCK: A Calculus for Service Oriented Computing. In Proc. of 4th International Conference on Service Oriented Computing (ICSOC), volume 4294 of Lecture Notes in Computer Science, pages 327–338. Springer, 2006. 27. M. Hennessy and J. Riely. Resource access control in systems of mobile agents. Information and Computation, 173(1):82–120, 2002. 28. K. Honda and M. Tokoro. An Object Calculus for Asynchronous Communication. In Proc. of 5th European Conference on Object-Oriented Programming (ECOOP), volume 512 of Lecture Notes in Computer Science, pages 133–147. Springer, 1991. 29. K. Honda and N. Yoshida. On Reduction-Based Process Semantics. Theoretical Computer Science, 151(2):437–486, 1995. 30. I. Lanese, F. Martins, A. Ravara, and V.T. Vasconcelos. Disciplining Orchestration and Conversation in Service-Oriented Computing. In Proc, of 5th International Conference on Software Engineering and Formal Methods (SEFM), pages 305–314. IEEE Computer Society Press, 2007. 31. C. Laneve and G. Zavattaro. Foundations of Web Transactions. In Proc. of 8th International Conference on Foundations of Software Science and Computational Structures (FoSSaCS), volume 3441 of Lecture Notes in Computer Science, pages 282–298. Springer, 2005. 32. A. Lapadula. Specification and Analysis of Service-Oriented Applications. PhD Thesis in Computer Science, Dipartimento di Sistemi e Informatica, Università degli Studi di Firenze,

33

33.

34. 35. 36. 37. 38.

39. 40. 41.

42.

43.

44.

2009. Available at http://rap.dsi.unifi.it/cows/theses/tiezzi_phdthesis. pdf. A. Lapadula, R. Pugliese, and F. Tiezzi. A calculus for orchestration of web services. Technical report, Dipartimento di Sistemi e Informatica, Università di Firenze, 2006. http://rap. dsi.unifi.it/cows/papers/cows-esop07-full.pdf. An extended abstract appeared in Proc. of ESOP’07, LNCS 4421, pages 33-47, Springer. M. Merro and D. Sangiorgi. On asynchrony in name-passing calculi. Mathematical Structures in Computer Science, 14(5):715–767, 2004. R. Milner. A Calculus of Communicating Systems., volume 92 of LNCS. Springer–Verlag, 1980. R. Milner. Communication and concurrency. Prentice-Hall, 1989. R. Milner, J. Parrow, and D. Walker. A Calculus of Mobile Processes, I and II. Information and Computation, 100(1):1–40, 41–77, 1992. R. Milner and D. Sangiorgi. Barbed Bisimulation. In Proc. of 19th International Colloquium on Automata, Languages and Programming (ICALP), volume 623 of Lecture Notes in Computer Science, pages 685–695. Springer, 1992. Robin Milner. The polyadic pi-calculus: a tutorial. Technical report, Logic and Algebra of Specification, 1991. J. Misra and W.R. Cook. Computation Orchestration: A Basis for Wide-Area Computing. Journal of Software and Systems Modeling, 6(1):83–110, 2007. J. Parrow and B. Victor. The fusion calculus: Expressiveness and symmetry in mobile processes. In Proc. of 13th Annual IEEE Symposium on Logic in Computer Science (LICS), pages 176–185. IEEE Computer Society Press, 1998. R. Pugliese, F. Tiezzi, and N. Yoshida. A Symbolic Semantics for a Calculus for ServiceOriented Computing. In Proc. of 1st Workshop on Programming Language Approaches to Concurrency and Communication-cEntric Software (PLACES), Electronic Notes in Theoretical Computer Science. Elsevier, 2009. To appear. D. Sangiorgi and D. Walker. On Barbed Equivalences in pi-Calculus. In Proc. of 12th International Conference on Concurrency Theory (CONCUR), volume 2154 of Lecture Notes in Computer Science, pages 292–304. Springer, 2001. H.T. Vieira, L. Caires, and J. Costa Seco. The Conversation Calculus: A Model of ServiceOriented Computation. In Proc. of 17th European Symposium on Programming (ESOP), volume 4960 of Lecture Notes in Computer Science, pages 269–283. Springer, 2008.

34

A

Proofs of main results

A.1 µCOWS m Theorem A1 (Theorem 1) ∼m is a congruence for µCOWSm closed terms. Proof. We shall prove that, given two µCOWSm closed terms s1 and s2 , if s1 ∼m s2 then C[[s1 ]] ∼m C[[s2 ]] for every (possibly open) context C. The proof is by induction on the structure of the context C. The base case, i.e. whenever C = [[ ]], is trivial. For the inductive case, we have the following possibilities: – C = n?w. ¯ D. By induction, we may assume that D[[s1 ]] ∼m D[[s2 ]]. If C is a closed context, then w¯ = v¯ , i.e. w¯ only contains values, D is a closed context, and there exists a bisimulation F such that D[[s1 ]]R∅ D[[s2 ]] with R∅ ∈ F . By Lemma 1, we can prove the thesis by showing that (F \R∅ ) ∪ R∅0 is a bisimulation up-to ≡, where R∅0 = {(n?¯v. D[[s1 ]], n?¯v. D[[s2 ]])} ∪ R∅ Indeed, R∅0 is transition closed because R∅ is transition closed and n B v¯

n?¯v. D[[s1 ]] −−−−−→≡ D[[s1 ]] n B v¯

n?¯v. D[[s2 ]] −−−−−→≡ D[[s2 ]] From the hypothesis D[[s1 ]]R∅ D[[s2 ]], since R∅ ⊆ R∅0 , we have D[[s1 ]]R∅0 D[[s2 ]]. Instead, if w¯ and D contain free variables x¯ at most, then the hypothesis D[[s1 ]] ∼m D[[s2 ]] implies that for all v¯ such that | x¯ |=| v¯ | we have D0 [[s1 ]] ∼m D0 [[s2 ]] for D0 = D · { x¯ 7→ v¯ }. Indeed, since s1 and s2 are closed terms, s1 ·{ x¯ 7→ v¯ } = s1 and s2 ·{ x¯ 7→ v¯ } = s2 . This means that for all v¯ there exists a bisimulation F 0 such that D0 [[s1 ]]R∅00 D0 [[s2 ]] with R∅00 ∈ F 0 . By Lemma 1, we can prove the thesis by showing that (F 0 \R∅00 ) ∪ R∅000 is a bisimulation up-to ≡, where R∅000 = {(n?w·{ ¯ x¯ 7→ v¯ }. D0 [[s1 ]] , n?w·{ ¯ x¯ 7→ v¯ }. D0 [[s2 ]])} ∪ R∅00 The rest of the proof proceeds as before. – C = G + g. By induction, we may assume that G[[s1 ]] ∼m G[[s2 ]]. If G is a closed context, then there exists a bisimulation F such that G[[s1 ]]R∅ G[[s2 ]] with R∅ ∈ F . By Lemma 1, we can prove the thesis by showing that (F \R∅ ) ∪ R∅0 is a bisimulation up-to ≡, where R∅0 = {(G[[s1 ]] + g, G[[s2 ]] + g)} ∪ R∅ ∪ Id α

and Id is the identity relation. Indeed, if G[[s1 ]] + g −−−→ s, due to the structure of G and g, then α = n B [ x¯] v¯ and there are the following possibilities. n B [ x¯] v¯

n B [ x¯] v¯

• g −−−−−−−→ s. Thus, G[[s2 ]] + g −−−−−−−→ s and s R∅0 s, since s Id s and Id ⊆ R∅0 . n B [ x¯] v¯

• G[[s1 ]] −−−−−−−→ s. From the hypothesis G[[s1 ]]R∅ G[[s2 ]], then we have two possibilities: 35

n B [ x¯] v¯

∗ There exists s0 such that G[[s2 ]] −−−−−−−→ s0 and, for all v¯ such that n B [ x¯] v¯

M( x¯, v¯ ) = σ, we have s · σ R∅ s0 · σ. Then, G[[s2 ]] + g −−−−−−−→ s0 . Since R∅ ⊆ R∅0 , we get s · σ R∅0 s0 · σ. ∅

∗ There exists s0 such that G[[s2 ]] −−→ s0 and, for all v¯ such that M( x¯, v¯ ) = σ, ∅

we have s·σ R∅ (s0 | n!(w·σ)). ¯ Then, G[[s2 ]]+g −−→ s0 and, since R∅ ⊆ R∅0 , 0 0 we get s · σ R∅ (s | n!(w¯ · σ)). If C is an open context, we can proceed similarly to the case C = n?w. ¯ D when C contains free variables. – C = g + G. We can proceed as in the case C = G + g. – C = [x] D. If D is a closed context, then [x] D ≡ D and, by induction, we immediately conclude. Instead, if D contains the free variable x at most2 , by induction and since s1 and s2 are closed terms, it holds that, for all v, Dv [[s1 ]] ∼m Dv [[s2 ]], where Dv =D · {x 7→ v}. This means that, for all v, there exists a bisimulation F v such that Dv [[s1 ]] R∅v Dv [[s2 ]], with R∅v ∈ F v . Now, consider the following family of relations: S [x] F = {RN : N is a set of names} ∪ v F v [x] v 0 v = {([x] s, [x] s0 ) : ∀v s · {x 7→ v} RN s · {x 7→ v} , RN ∈ F v , s and s0 where RN α

satisfy (∗) }; property (∗) states that if s −−−→ where α = n B [¯y] w, ¯ with x ∈ α S v 0 w, ¯ or α = σ ] {x 7→ v}, then s −−−→, and vice versa; v F = {RN : S v v N is a set of names , RN ∈ F v , RN = v RN }. The proof proceeds by proving that F is a bisimulation up-to ≡. Indeed, by letting s = D[[s1 ]] and s0 = D[[s2 ]], we obtain the thesis. In fact, Dv [[s1 ]] R∅v Dv [[s2 ]] for all v, and D[[s1 ]] and D[[s2 ]] satisfy property (∗), because x does not occur free in s1 and s2 (since s1 and s2 are closed terms). α

[x] Thus, let us consider a relation RN ∈ F . If [x] s −−−→ s00 , we proceed by case analysis on α. The most interesting case is α = n B [x, y¯ ] w. ¯ By rule (openrec ), we get n B [¯y] w¯

n B [¯y] (w·{x7 ¯ →v})

that s −−−−−−−→ s00 . From this, for all v, s · {x 7→ v} −−−−−−−−−−−−−→ s00 · {x 7→ v}. [x] v 0 By definition of RN , for all v, we get that s · {x 7→ v}RN s · {x 7→ v}, where v RN belongs to a bisimulation. Hence, we would have two possibilities: s0 · {x 7→ n B [¯y] (w·{x7 ¯ →v})

∅

v} −−−−−−−−−−−−−→ or s0 · {x 7→ v} −−→. In the former case, because of property (∗), n B [¯y] (w·{x7 ¯ →v})

we get that s0 · {x 7→ v} −−−−−−−−−−−−−→ s000 · {x 7→ v} and, for all v¯ 0 s.t. M(¯y, v¯ 0 ) = σ, n B [¯y] w¯

v 000 s · {x 7→ v} ] σ, where s000 is such that s0 −−−−−−−→ s000 . By s00 · {x 7→ v} ] σ RN n B [x,¯y] w¯

rule (openrec ), we conclude that [x] s0 −−−−−−−−−→ s000 . ∅

In the latter case, i.e. when α = ∅, we have two possibilities. In one case, s −−→ s000 ∅

[x] with s00 ≡ [x] s000 . Then, for all v, s·{x 7→ v} −−→ s000 ·{x 7→ v}. By definition of RN , ∅

v 0000 there exits s0000 such that s0 ·{x 7→ v} −−→ s0000 ·{x 7→ v} and s000 ·{x 7→ v}RN s ·{x 7→ 2

The case where D contains more than one free variable can be dealt with in a similar way.

36

v v}, for some RN belonging to a bisimulation. Since the communication does not ∅

∅

involve x, we get that s0 −−→ s0000 and, hence, [x] s0 −−→ [x] s0000 . We conclude [x] [x] by noticing that, by definition of RN , it holds that [x] s000 RN [x] s0000 . The other {x7→v0 }

∅

possibility is that s −−−−−−→ s000 with s00 = s000 · {x 7→ v0 }. Then, for all v, s −−→ s000 · ∅

[x] {x 7→ v}. By definition of RN , there exits s0000 such that s0 ·{x 7→ v} −−→ s0000 ·{x 7→ v} v 0000 v 000 and s · {x 7→ v}RN s · {x 7→ v}, for some RN belonging to a bisimulation. By {x7→v0 }

∅

property (∗), s0 −−−−−−→ s0000 and, hence, [x] s0 −−→ s0000 · {x 7→ v0 }. Finally, from [x] v 0000 s000 · {x 7→ v}RN s · {x 7→ v}, by letting v = v0 and by definition of RN , we get that [x] s000 · {x 7→ v0 }RN s0000 · {x 7→ v0 }. – C = D | s. By induction, we may assume that D[[s1 ]] ∼m D[[s2 ]]. If D is a closed context, then there exists a bisimulation F such that D[[s1 ]]R∅ D[[s2 ]] with R∅ ∈ F . By Lemma 1, we can prove the thesis by showing that the family of relations 0 0 F 0 = { RN 0 : RN ∈ F , N ⊆ N } 0 RN n] (s0 | s), [¯n] (s00 | s) ) : s0 RN s00 , for some n¯ and s s.t. N ∩ re(s) = ∅ } 0 = { ( [¯

where re(s) is the set of the receiving endpoint used in s, is a bisimulation up-to ≡. 0 0 Notice that for each relation RN ∈ F there exists a family of relations RN 0 ∈ F 0 0 for N ⊆ N such that RN ⊆ RN 0 (in fact, s can be 0 and n¯ can be empty). α

0 0 Let us consider a relation RN n] (s0 | s) −−−→ s000 , then the proof proceeds 0 ∈ F . If [¯ by case analysis on α. We only take a look at the cases of bound invocation and communication of private names. • α = n C [m] ¯ v¯ We have two possibilities: nC[m ¯ 0 ] v¯

∗ s −−−−−−−→ s3 , m ¯ 0 ⊆ m, ¯ s000 ≡ [¯n\m] ¯ (s0 | s3 ). 0 If n ∈ N then we immediately conclude, because Definition 4 does not impose any requirement in this case. Instead, if n < N 0 then [¯n] (s00 | nC[m] ¯ v¯

s) −−−−−−−→ [¯n\m] ¯ (s00 | s3 ). Since s0 RN s00 , by definition of F 0 we get 0 0 that [¯n\m] ¯ (s | s3 ) RN n\m] ¯ (s00 | s3 ). 0 ∪m ¯ [¯ nC[m ¯ 0 ] v¯

∗ s0 −−−−−−−→ s3 , m ¯ 0 ⊆ m, ¯ s000 ≡ [¯n\m] ¯ (s3 | s). 0 If n ∈ N then we immediately conclude. Otherwise, since s0 RN s00 for RN belonging to the bisimulation F , we get that there exists s4 such that nC[m ¯ 0 ] v¯

nC[m] ¯ v¯

s00 −−−−−−−→ s4 and s3 RN∪m¯ 0 s4 . Thus, we have that [¯n] (s00 | s) −−−−−−−→ [¯n\m] ¯ (s4 | s). From this and by definition of F 0 we get that [¯n\m] ¯ (s3 | s) RN 0 ∪m¯ [¯n\m] ¯ (s4 | s). n C [m] ¯ v¯

n B [ x¯] w¯

¯ |=| x¯ |. • α = ∅, s0 −−−−−−−→ s3 , s ≡ [ x¯] s4 −−−−−−−→ s5 , | m By rules (str), (delcom ) and (com), we get that (s0 | s) ≡ [ x¯] (s0 | s4 ), (s0 | { x¯7→m} ¯

s4 ) −−−−−−→ (s3 | s5 ), M(w, ¯ v¯ ) = { x¯ 7→ m}, ¯ and s000 ≡ [¯n, m] ¯ (s3 | s5 · { x¯ 7→ m}). ¯ Since n is a receiving endpoint of s, then n < N. From this and since s0 RN s00 for RN belonging to the bisimulation F , we get that there exists s6 such that 37

n C [m] ¯ v¯

∅

s00 −−−−−−−→ s6 and s3 RN∪ m¯ s6 , where RN∪ m¯ ∈ F . Hence, [¯n] (s00 | s) −−→ [¯n, m] ¯ (s6 | s5 · { x¯ 7→ m}). ¯ Since s3 RN∪ m¯ s6 , by definition of F 0 , we conclude 0 that [¯n, m] ¯ (s3 | s5 · { x¯ 7→ m})R ¯ n, m] ¯ (s6 | s5 · { x¯ 7→ m}). ¯ The generalisation N0∪ m ¯ [¯ to the case | m ¯ | n ∅ m v¯

m, by hypothesis, C[[s2 ]] −−−−−−→ s4 and s3 'µ s4 . Since s3 ↓m , by barb preservation, we get s4 ↓m . This fact implies that s2 has performed an invoke activity n!(¯v00 , v¯ 0 ) matching n?(x1 , . . . , xm , v¯ 0 ). If v¯ 00 would contain some non-restricted names, e.g. v000 , then we could define a context D = [[·]] | m?hv000 i. m0 !hi, for m0 fresh, that can ∅

tell s3 and s4 apart. Indeed, D[[s4 ]] −−→ s5 with s5 ↓m0 , while for each s6 such ∅

that D[[s3 ]] −−→ s6 , it holds that s6 6↓m0 ! , that would contradict s5 'µ s6 (implied by the hypothesis s3 'µ s4 ). Thus, v¯ 00 is a tuple of restricted names and, possibly by n C [¯n] v¯

exploiting α-conversion, we get that s2 −−−−−−−→ s02 and s4 = [n] (s02 | m!hn1 i | . . . | m!hnm i). From s3 'µ s4 and by definition of F , we conclude that s01 R n¯ s02 . 42

– α = n B [ x¯] w. ¯ We have the following possibilities: • α = n B hi. ∅

We consider the context C = [[·]] | n!hi and the computation C[[s1 ]] −−→ s01 . By ∅

hypothesis, C[[s2 ]] −−→ s and s01 'µ s. We have two possibilities: n B hi

1. s2 −−−−−→ s02 and s = s02 ; ∅

2. s2 −−→ s02 and s = s02 | n!hi; In both cases the thesis follows from the fact that, by definition of F , 'µ ⊆ R∅ . • α = n B [ x¯] x¯. We consider the context C = [[·]] | n!¯v for some v¯ such that M( x¯, v¯ ) = σ, n ∅ |¯v| v¯

noConf(s2 , n, v¯ , | x¯ |) = true and C[[s1 ]] −−−−−−→ s01 · σ. By hypothesis, we have two possibilities: n ∅ |¯v| v¯

1. C[[s2 ]] −−−−−−→ s and s1 · σ 'µ s. There are two cases: n B [ x¯] x¯

(a) s2 −−−−−−−→ s02 and s = s02 · σ; n ∅ |¯v| v¯

(b) s2 −−−−−−→ s002 . Since the length of the generated substitution is | v¯ | (i.e. the argument of the executed receive is a tuple of only variables), n B [ x¯] x¯

by rule (com), s2 −−−−−−−→ s02 and, hence, we can proceed as in the previous case. ∅

∅

2. C[[s2 ]] −−→ s and s01 'µ s. This means that s2 −−→ s02 and s = s02 | n!¯v. In both cases the thesis follows from the fact that, by definition of F , 'µ ⊆ R∅ . • α = n B [ x¯] w¯ with | x¯ |,| w¯ |. Without loss of generality, we may assume that w¯ = ( x¯, v¯ ). We consider the context C = [[·]] | n!(¯v0 , v¯ ) with v¯ 0 such that for any receive activity n?w¯ 0 that s1 and s2 can immediately perform, with w¯ 0 more or equal defined than w, ¯ n ∅ | x¯| (¯v0 ,¯v)

M(w¯ 0 , (¯v0 , v¯ )) does not hold. Then, consider the transition C[[s1 ]] −−−−−−−−−→ n ∅ | x¯| (¯v0 ,¯v)

s01 · { x¯ 7→ v¯ 0 }. By hypothesis, C[[s2 ]] −−−−−−−−−→ s and s01 · { x¯ 7→ v¯ 0 } 'µ s. We have the following possibilities: n B [¯y] w¯ 0

1. s2 −−−−−−−−→ s02 . Since the substitution generated by the communication is | x¯ | long, we have that | x¯ |=| y¯ | and, by possibly exploiting α-conversion, we get that n B [ x¯] w¯ 00

s2 −−−−−−−−→ s02 with w¯ 00 obtained from w¯ 0 by replacing y¯ with x¯. From this, we have that w¯ 00 is as defined as w. ¯ Moreover, by rule (com), we have that M(w¯ 00 , (¯v0 , v¯ )) holds. Hence, by the constraints on v¯ 0 , we get w¯ 00 = w. ¯ n B [ x¯] w¯

Finally, s2 −−−−−−−→ s02 and s = s02 · { x¯ 7→ v¯ 0 }. n ∅ | x¯| (¯v0 ,¯v)

2. s2 −−−−−−−−−→ s02 and s = s02 | n!(¯v0 , v¯ ). By rule (com) and by following the same reasoning used before, we can n ∅ | x¯| (¯v0 ,¯v)

n B [ x¯] w¯

state that s2 −−−−−−−→ s002 . Therefore, C[[s2 ]] −−−−−−−−−→ s002 · { x¯ 7→ v¯ 0 } and s01 · { x¯ 7→ v¯ 0 } 'µ s002 · { x¯ 7→ v¯ 0 }. In both cases the thesis follows from the fact that, by definition of F , 'µ ⊆ R∅ . t u 43

A.3

COWS

Theorem A7 (Theorem 7) ∼ is a congruence for COWS. Proof. We shall prove that, given two COWS closed terms s1 and s2 , if s1 ∼ s2 then C[[s1 ]] ∼ C[[s2 ]] for every context C. The proof is by induction on the structure of the context C. The base case, i.e. whenever C = [[·]], is trivial. For the inductive case, we take a look at two cases: – C = [k] D. If D is a closed context, then [k] D ≡ D and, by induction, we immediately conclude. Instead, if D contains the free killer label k at most3 , by induction we may assume that D[[s1 ]] ∼ D[[s2 ]]. This means that, there exists a bisimulation F such that D[[s1 ]]R∅ D[[s2 ]] for some R∅ ∈ F . Now, consider the following family of relations: { { ( [k] s, [k] s0 ) : s RN s0 , s and s0 satisfy (∗) } ∪ RN : RN ∈ F } k

k

where property (∗) states that if s −−→ s00 then s0 −−→ s000 and s00 RN s000 . The proof proceed by proving that the above family of relations is a bisimulation up-to ≡. Indeed, by letting s = D[[s1 ]] and s0 = D[[s2 ]], we obtain the thesis. In fact, since s1 and s2 are closed terms, D[[s1 ]] and D[[s2 ]] satisfy property (∗). α

0 Thus, let us consider a relation RN belonging to the above family. If [k] s −−−→ s3 , we proceed by case analysis on α. The most interesting case is α = †, with k

k

s −−→ s4 and s3 = [k] s4 . By property (*), s0 −−→ s5 and s4 RN s5 . From this, we †

0 0 get that [k] s0 −−→ [k] s5 and, by definition of RN , we conclude [k] s4 RN [k] s5 . The 0 remaining cases can be easily proved by exploiting the fact that s RN s . – C = {|D|}. By induction, we may assume that D[[s1 ]] ∼ D[[s2 ]]. If C is a closed context, then there exists a bisimulation F such that D[[s1 ]]R∅ D[[s2 ]] for some R∅ ∈ F . Thus, we can prove the thesis by showing that { { ({|s|}, {|s0 |}) : sRN s0 } , RN ∈ F } is a bisimulation up-to ≡. Instead, if D contains free variables, we must consider D[[s1 ]] and D[[s2 ]] under all possible substitution for such variables. t u

3

The case where D contains more than one free killer label can be dealt with in a similar way, while the case where D contains free variables can be dealt with as in Theoerm A1.

44

On observing dynamic prioritised actions in SOC

On observing dynamic prioritised actions in SOC

Suggest Documents

Stereoscopically Observing Manipulative Actions

simulating actions in dynamic environments

Observing Expertise-Related Actions Leads to

Representing Actions over Dynamic Domains

Neural correlates of observing joint actions with ... - Floris de Lange

Predicting Future User Actions by Observing Unmodified ... - WSU EECS

The Case of Pretense: Observing Actions and ... - MIT Press Journals

The Case of Pretense: Observing Actions and ... - MIT Press Journals

Value Oscillation in Knowledge Infrastructure: Observing its Dynamic

Impact of Ad Impressions on Dynamic Commercial Actions - CiteSeerX

SoC

Actions in the Eye: Dynamic Gaze Datasets and Learnt ... - arXiv

Modeling Actions in Dynamic Engineering Design ... - Semantic Scholar

Observing - ScienceDirect.comwww.researchgate.net › publication › fulltext › Observing

Dissociating dynamic probability and predictability in observed actions ...

Characterizing Actions in a Dynamic Common Pool Resource ... - MDPI

On semisimple Hopf actions

IPPA: Individually Prioritised Problem Assessment

IPPA: Individually Prioritised Problem Assessment - IOS Press

DEVELOPING 'N-CIRCLE': A PRIORITISED AGENDA ...

Partial Actions on Categories

Distributed and Prioritised Scheduling to Implement Carrier ...

A Dynamic Scheduling Method of Earth-Observing Satellites by ...

On the Conventionalization of Mouth Actions in